Create a service account and delegate privileges - Access Amazon WorkSpaces with Common Access Cards

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Create a service account and delegate privileges

To connect to your existing directory, you must have the credentials for your AD Connector service account in the existing directory that has been delegated certain privileges. While members of the “Domain Admins” group have sufficient privileges to connect to the directory, as a best practice, you should use a service account that has only the minimum privileges necessary to connect to the directory. The following procedure demonstrates how to create a new group called “Connectors”, delegate the necessary privileges needed to connect AWS Directory Service to this group, and then add a new service account to this group.

This procedure must be performed on a machine that is joined to your directory and has the “Active Directory User and Computers MMC” snap-in installed. You must also be logged in as a domain administrator.

To delegate privileges to your service account:

  1. Open Active Directory User and Computers and select your domain root in the navigation tree.

  2. In the list in the left-hand pane, right-click Users, select New, and then select Group.

  3. Locate the New Object - Group dialog box.

  4. For Group name, enter Connectors.

  5. For Group scope, choose Global.

  6. For Group type, enter Security.

  7. Choose OK.

  8. In the Active Directory User and Computers navigation tree, choose your domain root.

  9. In the menu, choose Action, and then Delegate Control.

  10. On the Delegation of Control Wizard page, select Next, then select Add.

  11. In the Select Users, Computers, or Groups dialog box, enter Connectors and select OK. If more than one object is found, choose the Connectors group created above. Choose Next.

  12. On the Tasks to Delegate page, select Create a custom task to delegate. Choose Next.

  13. Choose Only the following objects in the folder, and then choose Computer objects and User objects.

  14. Choose Create selected objects in this folder and Delete selected objects in this folder. Choose Next.

  15. Choose General and Property-specific, Read and Write. Choose Next.

  16. Verify the information on the Completing the Delegation of Control Wizard page, and select Finish.

  17. Create a user with a strong password and add that user to the “Connectors” group. This user will be known as your AD Connector service account. Because this user it is now a member of the “Connectors” group, they now have sufficient privileges to connect AWS Directory Service to the directory.