AWS Security Blog
How to Delegate Administration of Your AWS Managed Microsoft AD Directory to Your On-Premises Active Directory Users
You can now enable your on-premises users administer your AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD. Using an Active Directory (AD) trust and the new AWS delegated AD security groups, you can grant administrative permissions to your on-premises users by managing group membership in your on-premises AD directory. This simplifies how you manage who can perform administration. It also makes it easier for your administrators because they can sign in to their existing workstation with their on-premises AD credential to administer your AWS Managed Microsoft AD.
AWS created new domain local AD security groups (AWS delegated groups) in your AWS Managed Microsoft AD directory. Each AWS delegated group has unique AD administrative permissions. Users that are members in the new AWS delegated groups get permissions to perform administrative tasks, such as add users, configure fine-grained password policies and enable Microsoft enterprise Certificate Authority. Because the AWS delegated groups are domain local in scope, you can use them through an AD Trust to your on-premises AD. This eliminates the requirement to create and use separate identities to administer your AWS Managed Microsoft AD. Instead, by adding selected on-premises users to desired AWS delegated groups, you can grant your administrators some or all of the permissions. You can simplify this even further by adding on-premises AD security groups to the AWS delegated groups. This enables you to add and remove users from your on-premises AD security group so that they can manage administrative permissions in your AWS Managed Microsoft AD.
In this blog post, I will show you how to delegate permissions to your on-premises users to perform an administrative task–configuring fine-grained password policies–in your AWS Managed Microsoft AD directory. You can follow the steps in this post to delegate other administrative permissions, such as configuring group Managed Service Accounts and Kerberos constrained delegation, to your on-premises users.
Background
Until now, AWS Managed Microsoft AD delegated administrative permissions for your directory by creating AD security groups in your Organization Unit (OU) and authorizing these AWS delegated groups for common administrative activities. The admin user in your directory created user accounts within your OU, and granted these users permissions to administer your directory by adding them to one or more of these AWS delegated groups.
However, if you used your AWS Managed Microsoft AD with a trust to an on-premises AD forest, you couldn’t add users from your on-premises directory to these AWS delegated groups. This is because AWS created the AWS delegated groups with global scope, which restricts adding users from another forest. This necessitated that you create different user accounts in AWS Managed Microsoft AD for the purpose of administration. As a result, AD administrators typically had to remember additional credentials for AWS Managed Microsoft AD.
To address this, AWS created new AWS delegated groups with domain local scope in a separate OU called AWS Delegated Groups. These new AWS delegated groups with domain local scope are more flexible and permit adding users and groups from other domains and forests. This allows your admin user to delegate your on-premises users and groups administrative permissions to your AWS Managed Microsoft AD directory.
Note: If you already have an existing AWS Managed Microsoft AD directory containing the original AWS delegated groups with global scope, AWS preserved the original AWS delegated groups in the event you are currently using them with identities in AWS Managed Microsoft AD. AWS recommends that you transition to use the new AWS delegated groups with domain local scope. All newly created AWS Managed Microsoft AD directories have the new AWS delegated groups with domain local scope only.
Now, I will show you the steps to delegate administrative permissions to your on-premises users and groups to configure fine-grained password policies in your AWS Managed Microsoft AD directory.
Prerequisites
For this post, I assume you are familiar with AD security groups and how security group scope rules work. I also assume you are familiar with AD trusts.
The instructions in this blog post require you to have the following components running:
- An active AWS Managed Microsoft AD directory. To create a directory, follow the steps in Creating an AWS Managed Microsoft AD directory. You also need to know the password for the
admin
account so that you can add other users and groups to the AWS created AD security groups in the AWS Managed Microsoft AD directory. - An existing on-premises AD directory. Your on-premises AD directory must contain a user that you want to delegate permissions to manage your AWS Managed Microsoft AD directory.
- A trust relationship between your AWS Managed Microsoft AD and your on-premises AD. To learn more, see Simplified Configuration of Trust Relationship in the AWS Directory Service Console. You can create a one-way outgoing trust from your AWS Managed Microsoft AD directory to your on-premises AD directory, or a two-way trust.
- A machine joined to AWS Managed Microsoft AD domain with Active Directory Users and Computers (ADUC) tool installed. If you don’t have an existing machine with ADUC installed, you can join an Amazon EC2 for Windows Server instance to your AWS Managed Microsoft AD domain and install Active Directory Administrative Tools.
- A machine joined to your on-premises AD directory with ADUC installed. You can install ADUC by installing Active Directory Administrative Tools on a Windows computer that you joined to your on-premises AD domain.
Solution overview
I will now show you how to manage which on-premises users have delegated permissions to administer your directory by efficiently using on-premises AD security groups to manage these permissions. I will do this by:
- Adding on-premises groups to an AWS delegated group. In this step, you sign in to management instance connected to AWS Managed Microsoft AD directory as
admin
user and add on-premises groups to AWS delegated groups. - Administer your AWS Managed Microsoft AD directory as on-premises user. In this step, you sign in to a workstation connected to your on-premises AD using your on-premises credentials and administer your AWS Managed Microsoft AD directory.
For the purpose of this blog, I already have an on-premises AD directory (in this case, on-premises.com
). I also created an AWS Managed Microsoft AD directory (in this case, corp.example.com
) that I use with Amazon RDS for SQL Server. To enable Integrated Windows Authentication to my on-premises.com
domain, I established a one-way outgoing trust from my AWS Managed Microsoft AD directory to my on-premises AD directory. To administer my AWS Managed Microsoft AD, I created an Amazon EC2 for Windows Server instance (in this case, Cloud Management
). I also have an on-premises workstation (in this case, On-premises Management
), that is connected to my on-premises AD directory.
The following diagram represents the relationships between the on-premises AD and the AWS Managed Microsoft AD directory.
The left side represents the AWS Cloud containing AWS Managed Microsoft AD directory. I connected the directory to the on-premises AD directory via a 1-way forest trust relationship. When AWS created my AWS Managed Microsoft AD directory, AWS created a group called AWS Delegated Fine Grained Password Policy Administrators
that has permissions to configure fine-grained password policies in AWS Managed Microsoft AD.
The right side of the diagram represents the on-premises AD directory. I created a global AD security group called On-premises fine grained password policy admins
and I configured it so all members can manage fine grained password policies in my on-premises AD. I have two administrators in my company, John
and Richard
, who I added as members of On-premises fine grained password policy admins
. I want to enable John
and Richard
to also manage fine grained password policies in my AWS Managed Microsoft AD.
While I could add John
and Richard
to the AWS Delegated Fine Grained Password Policy Administrators
individually, I want a more efficient way to delegate and remove permissions for on-premises users to manage fine grained password policies in my AWS Managed Microsoft AD. In fact, I want to assign permissions to the same people that manage password policies in my on-premises directory.
To do this, I will:
- As
admin
user, add theOn-premises fine grained password policy admins
as member of theAWS Delegated Fine Grained Password Policy Administrators
security group from myCloud Management
machine. - Manage who can administer password policies in my AWS Managed Microsoft AD directory by adding and removing users as members of the
On-premises fine grained password policy admins
. Doing so enables me to perform all my delegation work in my on-premises directory without the need to use a remote desktop protocol (RDP) session to myCloud Management
instance. In this case,Richard
, who is a member ofOn-premises fine grained password policy admins
group can now administer AWS Managed Microsoft AD directory fromOn-premises Management
workstation.
Although I’m showing a specific case using fine grained password policy delegation, you can do this with any of the new AWS delegated groups and your on-premises groups and users.
Let’s get started.
Step 1 – Add on-premises groups to AWS delegated groups
In this step, open an RDP session to the Cloud Management instance and sign in as the admin user in your AWS Managed Microsoft AD directory. Then, add your users and groups from your on-premises AD to AWS delegated groups in AWS Managed Microsoft AD directory. In this example, I do the following:
- Sign in to the
Cloud Management
instance with the user nameadmin
and the password that you set for theadmin
user when you created your directory. - Open the Microsoft Windows Server Manager and navigate to Tools > Active Directory Users and Computers.
- Switch to the tree view and navigate to corp.example.com > AWS Delegated Groups. Right-click AWS Delegated Fine Grained Password Policy Administrators and select Properties.
- In the AWS Delegated Fine Grained Password Policy window, switch to Members tab and choose Add.
- In the Select Users, Contacts, Computers, Service Accounts, or Groups window, choose Locations.
- In the Locations window, select on-premises.com domain and choose OK.
- In the Enter the object names to select box, enter
on-premises fine grained password policy admins
and choose Check Names.
- Because I have a 1-way trust from AWS Managed Microsoft AD to my on-premises AD, Windows prompts me to enter credentials for an on-premises user account that has permissions to complete the search. If I had a 2-way trust and the admin account in my AWS Managed Microsoft AD has permissions to read my on-premises directory, Windows will not prompt me.In the Windows Security window, enter the credentials for an account with permissions for
on-premises.com
and choose OK.
- Click OK to add
On-premises fine grained password policy admins
group as a member of theAWS Delegated Fine Grained Password Policy Administrators
group in your AWS Managed Microsoft AD directory.
At this point, any user that is a member of On-premises fine grained password policy admins
group has permissions to manage password policies in your AWS Managed Microsoft AD directory.
Step 2 – Administer your AWS Managed Microsoft AD as on-premises user
Any member of the on-premises group(s) that you added to an AWS delegated group inherited the permissions of the AWS delegated group.
In this example, Richard
signs in to the On-premises Management
instance. Because Richard
inherited permissions from Delegated Fine Grained Password Policy Administrators
, he can now administer fine grained password policies in the AWS Managed Microsoft AD directory using on-premises credentials.
- Sign in to the
On-premises Management
instance asRichard
. - Open the Microsoft Windows Server Manager and navigate to Tools > Active Directory Users and Computers.
- Switch to the tree view, right-click Active Directory Users and Computers, and then select Change Domain.
- In the Change Domain window, enter
corp.example.com
, and then choose OK.
- You’ll be connected to your AWS Managed Microsoft AD domain:
Richard
can now administer the password policies. Because John
is also a member of the AWS delegated group, John
can also perform password policy administration the same way.
In future, if Richard
moves to another division within the company and you hire Judy
as a replacement for Richard
, you can simply remove Richard
from On-premises fine grained password policy admins
group and add Judy
to this group. Richard
will no longer have administrative permissions, while Judy
can now administer password policies for your AWS Managed Microsoft AD directory.
Summary
We’ve tried to make it easier for you to administer your AWS Managed Microsoft AD directory by creating AWS delegated groups with domain local scope. You can add your on-premises AD groups to the AWS delegated groups. You can then control who can administer your directory by managing group membership in your on-premises AD directory. Your administrators can sign in to their existing on-premises workstations using their on-premises credentials and administer your AWS Managed Microsoft AD directory. I encourage you to explore the new AWS delegated security groups by using Active Directory Users and Computers from the management instance for your AWS Managed Microsoft AD. To learn more about AWS Directory Service, see the AWS Directory Service home page. If you have questions, please post them on the Directory Service forum. If you have comments about this post, submit them in the “Comments” section below.