Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Adding and removing Amazon Managed Microsoft AD members to
groups and groups to groups
With the Amazon Directory Service Data
API, a member can be a user, group, or computer. A user represents a person or
entity that can access your directory. Groups allow you to grant and deny permissions to more
than one user at a time.
Use the following procedures to add or remove an Amazon Managed Microsoft AD user to a group or group to
another group with user and group management or Amazon Directory Service Data in either the Amazon Web Services Management Console, Amazon CLI, or
Amazon Tools for PowerShell.
Adding a user to a group
Use the following procedure to add an Amazon Managed Microsoft AD user to a group with
user and group management or Amazon Directory Service Data in either the Amazon Web Services Management Console, Amazon CLI, or Amazon Tools for PowerShell.
When you add an Amazon Managed Microsoft AD user to a group, the user inherits the roles and
permissions assigned to the group. These roles and permissions are part of the user's
group memberships.
Before you begin either procedure, you need to complete the following:
- Amazon Web Services Management Console
-
You can add an Amazon Managed Microsoft AD member to a group with the Amazon Web Services Management Console.
To add Amazon Managed Microsoft AD user to a group with the Amazon Web Services Management Console
-
Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.
-
From the navigation pane, choose Active Directory, and then choose
Directories. You're directed to the
Directories screen where you can view a list of directories
in your Amazon Web Services Region.
-
Choose a directory. You're directed to the Directory
details screen.
-
Choose Groups. To find groups, enter the group name in
the search box under the Groups section. The tab shows a list
of groups in your Amazon Web Services Region.
-
Choose a group. You're directed to the Group details
screen.
-
Choose Members. The tab shows a list of users and child
groups by member type in your group.
-
Under Members tab, Choose Add
member.
-
Under Members, select the user you want to add to your
group, and then choose Add member to group. To find members,
enter the user logon name for users and group name for groups in the search box
under the Members section.
- Amazon CLI
-
The following describes how to format a request that adds an Amazon Managed Microsoft AD member
to a group with the Amazon Directory Service Data CLI.
To add an Amazon Managed Microsoft AD user to a group with the Amazon CLI
-
To add a user to a group, open the Amazon CLI, and run the following command,
replacing the Directory ID, group and member names with your Amazon Managed Microsoft AD
Directory ID and group and member names:
aws ds-data add-group-member --directory-id d-1234567890
--group-name "your-group-name
" --member-name "jane.doe
"
- Amazon Tools for PowerShell
-
The following describes how to format a request that adds an Amazon Managed Microsoft AD member
to a group with Amazon Tools for PowerShell.
To add an Amazon Managed Microsoft AD user to a group with Amazon Tools for PowerShell
-
To add a user to a group, open the Windows PowerShell, and run the
following command, replacing the Directory ID, group and member names with your
Amazon Managed Microsoft AD Directory ID and group and member names:
Add-DSDGroupMember -DirectoryId d-1234567890
-GroupName "your-group-name
" -MemberName "jane.doe
"
Removing a user from a group
With the Amazon Directory Service Data
API, a member can be a user, group, or computer. A user represents a person or
entity that can access your directory. Groups allow you to grant and deny permissions to
more than one user at a time.
Use the following procedure to remove an Amazon Managed Microsoft AD user to a group with
user and group management or Amazon Directory Service Data in either the Amazon Web Services Management Console, Amazon CLI, or Amazon Tools for PowerShell.
When you remove an Amazon Managed Microsoft AD user from a group, the user loses access to the roles
and permissions assigned to the group. These roles and permissions are part of the group's
memberships.
Before you begin either procedure, you need to complete the following:
- Amazon Web Services Management Console
-
You can remove an Amazon Managed Microsoft AD member from a group with the Amazon Web Services Management Console.
To remove an Amazon Managed Microsoft AD user from a group with the Amazon Web Services Management Console
-
Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.
-
From the navigation pane, choose Active Directory, and then choose
Directories. You're directed to the
Directories screen where you can view a list of directories
in your Amazon Web Services Region.
-
Choose a directory. You're directed to the Directory
details screen.
-
Choose Groups. The tab shows a list of groups in your
Amazon Web Services Region.
-
Choose a group. To find groups, enter the group name in the search box under
the Groups section. You're directed to the Group
details screen.
-
Choose Members. The tab shows a list of users and child
groups by member type in your group.
-
Select the user you want to remove from your group, and then choose
Remove. To find users, enter the user logon name in the
search box under the Members section.
-
Confirm that you want to remove the user from your group, and then choose
Remove again.
- Amazon CLI
-
The following describes how to format a request that removes an Amazon Managed Microsoft AD
member from a group with the Amazon Directory Service Data CLI.
To remove an Amazon Managed Microsoft AD user from a group with Amazon CLI
-
To remove a user to a group, open the Amazon CLI, and run the following command,
replacing the Directory ID, group and member names with your Amazon Managed Microsoft AD
Directory ID, group and member names:
aws ds-data remove-group-member --directory-id d-1234567890
--group-name "your-group-name
" --member-name "jane.doe
"
- Amazon Tools for PowerShell
-
The following describes how to format a request that removes an Amazon Managed Microsoft AD
member from a group with Amazon Tools for PowerShell.
To remove an Amazon Managed Microsoft AD user from a group with Amazon Tools for PowerShell
-
To remove a user to a group, open the Windows PowerShell, and run the
following command, replacing the Directory ID, group and member names with your
Amazon Managed Microsoft AD Directory ID, group and member names:
Remove-DSDGroupMember -DirectoryId d-1234567890
-GroupName "your-group-name
" -MemberName "jane.doe
"
Adding a group to a group
When you add an Amazon Managed Microsoft AD group to another group, the groups share a parent-child
relationship. The child group gains access to the roles and permissions that are assigned to
the parent group. You can add a child group to your group and your group to a parent
group.
Before you begin either procedure, you need to complete the following:
- Amazon Web Services Management Console
-
You can add an Amazon Managed Microsoft AD group to a group with the Amazon Web Services Management Console.
To add a child group to your group with the Amazon Web Services Management Console
-
Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.
-
From the navigation pane, choose Active Directory, and then choose
Directories. You're directed to the
Directories screen where you can view a list of directories
in your Amazon Web Services Region.
-
Choose a directory. You're directed to the Directory
details screen.
-
Choose Groups. The tab shows a list of groups in your
Amazon Web Services Region.
-
Choose a group. To find groups, enter the group name in the search box under
the Groups section. You're directed to the Group
details screen.
-
Choose Members. The tab shows a list of users and child
groups by member type in your group.
-
Choose Add member.
-
Under Members, select the child group(s) you want to add
to your group, and then choose Add member to group.
To add a parent group to a group with the Amazon Web Services Management Console
-
Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.
-
From the navigation pane, choose Active Directory, and then choose
Directories. You're directed to the
Directories screen where you can view a list of directories
in your Amazon Web Services Region.
-
Choose a directory. You're directed to the Directory
details screen.
-
Choose Groups. The tab shows a list of groups in your
Amazon Web Services Region.
-
Choose a group. To find groups, enter the group name in the search box under
the Groups section. You're directed to the Group
details screen.
-
Choose Parent groups. The tab shows a list of groups
that your group is a member of.
-
Choose Add parent groups.
-
Under Groups, select the group(s) you want to add your
group to, and then choose Add parent groups again.
- Amazon CLI
-
The following describes how to format a request that adds an Amazon Managed Microsoft AD group
to a group with the Amazon Directory Service Data CLI.
To add a child group to your group with the Amazon CLI
-
To add a child group to a parent group, open the Amazon CLI, and run the following
command, replacing the Directory ID, group and member names with your Amazon Managed Microsoft AD
Directory ID, group and member names:
aws ds-data add-group-member --directory-id d-1234567890
--group-name "parent-group-name
" --member-name "child-group-name
"
- Amazon Tools for PowerShell
-
The following describes how to format a request that adds an Amazon Managed Microsoft AD group
to a group with Amazon Tools for PowerShell.
To add a child group to your group with Amazon Tools for PowerShell
-
To add a child group to a parent group, open the Windows PowerShell, and
run the following command, replacing the Directory ID, group and member names with
your Amazon Managed Microsoft AD Directory ID, group and member names:
Add-DSDGroupMember -DirectoryId d-1234567890
-GroupName "parent-group-name
" -MemberName "child-group-name
"
Removing a group from a group
When you remove an Amazon Managed Microsoft AD group from another group, the groups no longer share a
parent-child relationship. The child group loses access to the roles and permissions that
are assigned to the parent group. You can remove a child group from your group and your
group from a parent group.
Before you begin either procedure, you need to complete the following:
- Amazon Web Services Management Console
-
You can remove an Amazon Managed Microsoft AD group to a group with the Amazon Web Services Management Console.
To remove a child group from your group with the Amazon Web Services Management Console
-
Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.
-
From the navigation pane, choose Active Directory, and then choose
Directories. You're directed to the
Directories screen where you can view a list of directories
in your Amazon Web Services Region.
-
Choose a directory. You're directed to the Directory
details screen.
-
Choose Groups. The tab shows a list of groups in your
Amazon Web Services Region.
-
Choose a group. You're directed to the Group details
screen. To find groups, enter the group name in the search box under the
Groups section.
-
Choose Members. The tab shows a list of users and child
groups by member type in your group.
-
Select the child group(s) you want to remove from your group, and then choose
Remove.
-
Confirm the child group(s) you want to remove from your group, and then
choose Remove again.
To remove your group from a parent group with the Amazon Web Services Management Console
-
Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.
-
From the navigation pane, choose Active Directory, and then choose
Directories. You're directed to the
Directories screen where you can view a list of directories
in your Amazon Web Services Region.
-
Choose a directory. You're directed to the Directory
details screen.
-
Choose Groups. The tab shows a list of groups in your
Amazon Web Services Region.
-
Choose a group. You're directed to the Group details
screen. To find groups, enter the group name in the search box under the
Groups section.
-
Choose Parent groups. The tab shows a list of groups
that your group is a member of.
-
Select the parent group you want to remove your group from, and then choose
Remove parent groups.
-
Confirm the parent group you want to remove your group from, and then choose
Remove parent groups again.
- Amazon CLI
-
The following describes how to format a request that removes an Amazon Managed Microsoft AD group
to a group with the Amazon Directory Service Data CLI.
-
To remove a child group from a parent group with the Amazon CLI
To add remove a child group from a parent group, open the Amazon CLI, and run the
following command, replacing the Directory ID, group and member names with your
Amazon Managed Microsoft AD Directory ID, group and member names:
aws ds-data remove-group-member --directory-id d-1234567890
--group-name "parent-group-name
" --member-name "child-group-name
"
- Amazon Tools for PowerShell
-
The following describes how to format a request that removes an Amazon Managed Microsoft AD group
to a group with Amazon Tools for PowerShell.
-
To remove a child group from a parent group with Amazon Tools for PowerShell
To add remove a child group from a parent group, open the
Windows PowerShell, and run the following command, replacing the Directory ID,
group and member names with your Amazon Managed Microsoft AD Directory ID, group and member
names:
Remove-DSDGroupMember -DirectoryId d-1234567890
-GroupName "parent-group-name
" -MemberName "child-group-name
"