View a markdown version of this page

Adding and removing Amazon Managed Microsoft AD members to groups and groups to groups - Amazon Directory Service
Adding a user to a groupRemoving a user from a groupAdding a group to a groupRemoving a group from a group
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Adding and removing Amazon Managed Microsoft AD members to groups and groups to groups

With the Amazon Directory Service Data API, a member can be a user, group, or computer. A user represents a person or entity that can access your directory. Groups allow you to grant and deny permissions to more than one user at a time.

Use the following procedures to manage group membership for Amazon Managed Microsoft AD users and groups with Amazon Directory Service Data in the Amazon Web Services Management Console, Amazon CLI, or Amazon Tools for PowerShell.

Adding a user to a group

Use the following procedure to add an Amazon Managed Microsoft AD user to a group with Amazon Directory Service Data in the Amazon Web Services Management Console, Amazon CLI, or Amazon Tools for PowerShell.

Important

When you add an Amazon Managed Microsoft AD user to a group, the user inherits the roles and permissions assigned to the group.

Before you begin, complete the following:
Amazon Web Services Management Console

You can add an Amazon Managed Microsoft AD member to a group with the Amazon Web Services Management Console.

To add Amazon Managed Microsoft AD user to a group with the Amazon Web Services Management Console

  1. Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.

  2. From the navigation pane, choose Active Directory, and then choose Directories. You're directed to the Directories screen where you can view a list of directories in your Amazon Web Services Region.

  3. Choose a directory. You're directed to the Directory details screen.

  4. Choose Groups. To find groups, enter the group name in the search box under the Groups section. The tab shows a list of groups in your Amazon Web Services Region.

  5. Choose a group. You're directed to the Group details screen.

  6. Choose Members. The tab shows a list of users and child groups by member type in your group.

  7. Under Members tab, Choose Add member.

  8. Under Members, select the user you want to add to your group, and then choose Add member to group. To find members, enter the user logon name for users and group name for groups in the search box under the Members section.

Amazon CLI

The following describes how to format a request that adds an Amazon Managed Microsoft AD member to a group with the Amazon Directory Service Data CLI.

To add an Amazon Managed Microsoft AD user to a group with the Amazon CLI

  • To add a user to a group, open the Amazon CLI, and run the following command with your Directory ID, group name, and member name: 

aws ds-data add-group-member \
  --directory-id d-1234567890 \
  --group-name "your-group-name" \
  --member-name "jane.doe"

For more information, see add-group-member.

PowerShell

The following describes how to format a request that adds an Amazon Managed Microsoft AD member to a group with Amazon Tools for PowerShell.

To add an Amazon Managed Microsoft AD user to a group with Amazon Tools for PowerShell

  • To add a user to a group, open PowerShell, and run the following command with your Directory ID, group name, and member name: 

Add-DSDGroupMember `
    -DirectoryId d-1234567890 `
    -GroupName "your-group-name" `
    -MemberName "jane.doe"

For more information, see Add-DSDGroupMember.

Removing a user from a group

With the Amazon Directory Service Data API, a member can be a user, group, or computer. A user represents a person or entity that can access your directory. Groups allow you to grant and deny permissions to more than one user at a time.

Use the following procedure to remove an Amazon Managed Microsoft AD user from a group with Amazon Directory Service Data in the Amazon Web Services Management Console, Amazon CLI, or Amazon Tools for PowerShell.

Important

When you remove an Amazon Managed Microsoft AD user from a group, the user loses the roles and permissions assigned to the group.

Amazon Web Services Management Console

You can remove an Amazon Managed Microsoft AD member from a group with the Amazon Web Services Management Console.

To remove an Amazon Managed Microsoft AD user from a group with the Amazon Web Services Management Console

  1. Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.

  2. From the navigation pane, choose Active Directory, and then choose Directories. You're directed to the Directories screen where you can view a list of directories in your Amazon Web Services Region.

  3. Choose a directory. You're directed to the Directory details screen.

  4. Choose Groups. The tab shows a list of groups in your Amazon Web Services Region.

  5. Choose a group. To find groups, enter the group name in the search box under the Groups section. You're directed to the Group details screen.

  6. Choose Members. The tab shows a list of users and child groups by member type in your group.

  7. Select the user you want to remove from your group, and then choose Remove. To find users, enter the user logon name in the search box under the Members section.

  8. Confirm that you want to remove the user from your group, and then choose Remove again.

Amazon CLI

The following describes how to format a request that removes an Amazon Managed Microsoft AD member from a group with the Amazon Directory Service Data CLI.

To remove an Amazon Managed Microsoft AD user from a group with Amazon CLI

  • To remove a user from a group, open the Amazon CLI, and run the following command with your Directory ID, group name, and member name: 

aws ds-data remove-group-member \
  --directory-id d-1234567890 \
  --group-name "your-group-name" \
  --member-name "jane.doe"

For more information, see remove-group-member.

PowerShell

The following describes how to format a request that removes an Amazon Managed Microsoft AD member from a group with Amazon Tools for PowerShell.

To remove an Amazon Managed Microsoft AD user from a group with Amazon Tools for PowerShell

  • To remove a user from a group, open PowerShell, and run the following command with your Directory ID, group name, and member name: 

Remove-DSDGroupMember `
    -DirectoryId d-1234567890 `
    -GroupName "your-group-name" `
    -MemberName "jane.doe"

For more information, see Remove-DSDGroupMember.

Adding a group to a group

When you add an Amazon Managed Microsoft AD group to another group, the groups share a parent-child relationship. The child group gains access to the roles and permissions that are assigned to the parent group. You can add a child group to your group and your group to a parent group.

Amazon Web Services Management Console

You can add an Amazon Managed Microsoft AD group to a group with the Amazon Web Services Management Console.

To add a child group to your group with the Amazon Web Services Management Console

  1. Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.

  2. From the navigation pane, choose Active Directory, and then choose Directories. You're directed to the Directories screen where you can view a list of directories in your Amazon Web Services Region.

  3. Choose a directory. You're directed to the Directory details screen.

  4. Choose Groups. The tab shows a list of groups in your Amazon Web Services Region.

  5. Choose a group. To find groups, enter the group name in the search box under the Groups section. You're directed to the Group details screen.

  6. Choose Members. The tab shows a list of users and child groups by member type in your group.

  7. Choose Add member.

  8. Under Members, select the child group(s) you want to add to your group, and then choose Add member to group.

To add a parent group to a group with the Amazon Web Services Management Console

  1. Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.

  2. From the navigation pane, choose Active Directory, and then choose Directories. You're directed to the Directories screen where you can view a list of directories in your Amazon Web Services Region.

  3. Choose a directory. You're directed to the Directory details screen.

  4. Choose Groups. The tab shows a list of groups in your Amazon Web Services Region.

  5. Choose a group. To find groups, enter the group name in the search box under the Groups section. You're directed to the Group details screen.

  6. Choose Parent groups. The tab shows a list of groups that your group is a member of.

  7. Choose Add parent groups.

  8. Under Groups, select the group(s) you want to add your group to, and then choose Add parent groups again.

Amazon CLI

The following describes how to format a request that adds an Amazon Managed Microsoft AD group to a group with the Amazon Directory Service Data CLI.

To add a child group to your group with the Amazon CLI

  • To add a child group to a parent group, open the Amazon CLI, and run the following command with your Directory ID, group name, and member name: 

aws ds-data add-group-member \
  --directory-id d-1234567890 \
  --group-name "parent-group-name" \
  --member-name "child-group-name"

For more information, see add-group-member.

PowerShell

The following describes how to format a request that adds an Amazon Managed Microsoft AD group to a group with Amazon Tools for PowerShell.

To add a child group to your group with Amazon Tools for PowerShell

  • To add a child group to a parent group, open PowerShell, and run the following command with your Directory ID, group name, and member name: 

Add-DSDGroupMember `
    -DirectoryId d-1234567890 `
    -GroupName "parent-group-name" `
    -MemberName "child-group-name"

For more information, see Add-DSDGroupMember.

Removing a group from a group

When you remove an Amazon Managed Microsoft AD group from another group, the groups no longer share a parent-child relationship. The child group loses access to the roles and permissions that are assigned to the parent group. You can remove a child group from your group and your group from a parent group.

Amazon Web Services Management Console

You can remove an Amazon Managed Microsoft AD group from a group with the Amazon Web Services Management Console.

To remove a child group from your group with the Amazon Web Services Management Console

  1. Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.

  2. From the navigation pane, choose Active Directory, and then choose Directories. You're directed to the Directories screen where you can view a list of directories in your Amazon Web Services Region.

  3. Choose a directory. You're directed to the Directory details screen.

  4. Choose Groups. The tab shows a list of groups in your Amazon Web Services Region.

  5. Choose a group. You're directed to the Group details screen. To find groups, enter the group name in the search box under the Groups section.

  6. Choose Members. The tab shows a list of users and child groups by member type in your group.

  7. Select the child group(s) you want to remove from your group, and then choose Remove.

  8. Confirm the child group(s) you want to remove from your group, and then choose Remove again.

To remove your group from a parent group with the Amazon Web Services Management Console

  1. Open the Amazon Directory Service console at https://console.amazonaws.cn/directoryservicev2/.

  2. From the navigation pane, choose Active Directory, and then choose Directories. You're directed to the Directories screen where you can view a list of directories in your Amazon Web Services Region.

  3. Choose a directory. You're directed to the Directory details screen.

  4. Choose Groups. The tab shows a list of groups in your Amazon Web Services Region.

  5. Choose a group. You're directed to the Group details screen. To find groups, enter the group name in the search box under the Groups section.

  6. Choose Parent groups. The tab shows a list of groups that your group is a member of.

  7. Select the parent group you want to remove your group from, and then choose Remove parent groups.

  8. Confirm the parent group you want to remove your group from, and then choose Remove parent groups again.

Amazon CLI

The following describes how to format a request that removes an Amazon Managed Microsoft AD group from a group with the Amazon Directory Service Data CLI.

  • To remove a child group from a parent group with the Amazon CLI

    To remove a child group from a parent group, open the Amazon CLI, and run the following command with your Directory ID, group name, and member name: 

aws ds-data remove-group-member \
  --directory-id d-1234567890 \
  --group-name "parent-group-name" \
  --member-name "child-group-name"

For more information, see remove-group-member.

PowerShell

The following describes how to format a request that removes an Amazon Managed Microsoft AD group from a group with Amazon Tools for PowerShell.

  • To remove a child group from a parent group with Amazon Tools for PowerShell

    To remove a child group from a parent group, open the PowerShell, and run the following command with your Directory ID, group name, and member name: 

Remove-DSDGroupMember `
    -DirectoryId d-1234567890 `
    -GroupName "parent-group-name" `
    -MemberName "child-group-name"

For more information, see Remove-DSDGroupMember.