AWS Directory Service
Administration Guide (Version 1.0)

Delegating Directory Join Privileges (Simple AD and Microsoft AD)

To join a computer to your directory, you need an account that has privileges to join computers to the directory.

With Simple AD, members of the Domain Admins group have sufficient privileges to join computers to the directory.

With AWS Directory Service for Microsoft Active Directory, members of the Admins and Server Admins groups have these privileges.

However, as a best practice, you should use an account that has only the minimum privileges necessary. The following procedure demonstrates how to create a new group called Joiners and delegate the privileges to this group that are needed to join computers to the directory.

You must perform this procedure on a machine that is joined to your directory and has the Active Directory User and Computers MMC snap-in installed. You must also be logged in as a domain administrator.

AWS Directory Service for Microsoft Active Directory

To delegate join privileges

  1. Open Active Directory User and Computers and select the organizational unit (OU) that has your NetBIOS name in the navigation tree, then select the Users OU.

                            Active Directory user and computers


    When you launch a AWS Directory Service for Microsoft Active Directory, AWS creates an organizational unit (OU) that contains all your directory’s objects. This OU, which has the NetBIOS name that you typed when you created your directory, is located in the domain root. The domain root is owned and managed by AWS. You cannot make changes to the domain root itself, therefore, you must create the Joiners group within the OU that has your NetBIOS name.

  2. Open the context menu (right-click) for Users, choose New, and then choose Group.

  3. In the New Object - Group box, type the following and choose OK.

    • For Group name, type Joiners.

    • For Group scope, choose Global.

    • For Group type, choose Security.

  4. In the navigation tree, select the Computers container under your NetBIOS name. From the Action menu, choose Delegate Control.

                            Delegate Connector menu
  5. On the Delegation of Control Wizard page, choose Next, and then choose Add.

  6. In the Select Users, Computers, or Groups box, type Joiners and choose OK. If more than one object is found, select the Joiners group created above. Choose Next.

  7. On the Tasks to Delegate page, select Create a custom task to delegate, and then choose Next.

  8. Select Only the following objects in the folder, and then select Computer objects.

  9. Select Create selected objects in this folder and Delete selected objects in this folder. Then choose Next.

                            Object type
  10. Select Read and Write, and then choose Next.

                            Object type
  11. Verify the information on the Completing the Delegation of Control Wizard page and choose Finish.

  12. Create a user with a strong password and add that user to the Joiners group. This user must be in the Users container that is under your NetBIOS name. The user will then have sufficient privileges to connect instances to the directory.