AWS Directory Service
Administration Guide (Version 1.0)

What Gets Created

When you create a directory with AWS Managed Microsoft AD, AWS Directory Service performs the following tasks on your behalf:

  • Sets up Active Directory within the VPC running on two domain controllers for fault tolerance and high availability. If you need more domain controllers, you can add them later. For more information, see Deploy Additional Domain Controllers.

  • Creates an organizational unit (OU) that contains all of your AWS-related directory’s objects. This OU, which has the same name as the NetBIOS name that you typed when you created your directory (such as Corp), is located in the domain root. The domain root is owned and managed by AWS. Two child OUs exist under this OU by default; Computers and Users. For example:

    • Corp

      • Computers

      • Users

  • Creates a directory administrator account with the user name Admin and the specified password. This account is located under the Users OU (For example, Corp > Users). You use this account to manage your directory in the AWS Cloud. For more information about this account, see Admin Account.

    Important

    Be sure to save this password. AWS Directory Service does not store this password, and it cannot be retrieved or reset.

  • Creates a new AWS Reserved OU to store all other AWS specific accounts.

  • Creates a new AWS Delegated Groups OU to store all of the groups that you can use to delegate AWS specific permissions to your users. The following table describes all the delegated groups that are stored in this OU.

    Group Name Description
    AWS Delegated Account Operators Members of this security group have limited account management capability such as password resets and unlocks
    AWS Delegated Add Workstations To Domain Users Members of this security group can join 10 computers to a domain
    AWS Delegated Administrators Members of this security group can manage AWS Managed Microsoft AD, have full control of all the objects in your OU and can manage groups contained in the AWS Delegated Groups OU
    AWS Delegated Distributed File System Administrators Members of this security group can add and remove FRS, DFS-R, and DFS name spaces
    AWS Delegated Domain Name System Administrators Members of this security group can manage Active Directory integrated DNS
    AWS Delegated Dynamic Host Configuration Protocol Administrators Members of this security group can authorize Windows DHCP servers in the enterprise
    AWS Delegated Enterprise Certificate Authority Administrators Members of this security group can deploy and manage Microsoft Enterprise Certificate Authority infrastructure
    AWS Delegated Fine Grained Password Policy Administrators Members of this security group can modify precreated fine-grained password policies
    AWS Delegated Group Policy Administrators Members of this security group can perform group policy management tasks (create, edit, delete, link)
    AWS Delegated Kerberos Delegation Administrators Members of this security group can enable delegation on computer and user account objects
    AWS Delegated Managed Service Account Administrators Members of this security group can create and delete Managed Service Accounts
    AWS Delegated Remote Access Service Administrators Members of this security group can add and remove RAS servers from the RAS and IAS Servers group
    AWS Delegated Replicate Directory Changes Administrators Members of this security group can synchronize profile information in Active Directory with SharePoint Server
    AWS Delegated Server Administrators Members of this security group are included in the local administrators group on all domain joined computers
    AWS Delegated Sites and Services Administrators Members of this security group can rename the Default-First-Site-Name object in Active Directory sites and services
    AWS Delegated Terminal Server Licensing Administrators Members of this security group can add and remove Terminal Server License Servers from the Terminal Server License Servers group
    AWS Delegated User Principal Name Suffix Administrators Members of this security group can add and remove user principal name suffixes