Amazon Managed Microsoft AD Administrator account permissions
When you create an Amazon Directory Service for Microsoft Active Directory directory, Amazon creates an organizational unit (OU) to store all Amazon related groups and accounts. For more information about this OU, see What gets created with your Amazon Managed Microsoft AD. This includes the Admin account. The Admin account has permissions to perform the following common administrative activities for your OU:
-
Add, update, or delete users, groups, and computers. For more information, see User and group management in Amazon Managed Microsoft AD.
-
Add resources to your domain such as file or print servers, and then assign permissions for those resources to users and groups in your OU.
-
Create additional OUs and containers.
-
Delegate authority of additional OUs and containers. For more information, see Delegating directory join privileges for Amazon Managed Microsoft AD.
-
Create and link group policies.
-
Restore deleted objects from the Active Directory Recycle Bin.
-
Run Active Directory and DNS Windows PowerShell modules on the Active Directory Web Service.
-
Create and configure group Managed Service Accounts. For more information, see Group Managed Service Accounts.
-
Configure Kerberos constrained delegation. For more information, see Kerberos constrained delegation.
The Admin account also has rights to perform the following domainwide activities:
-
Manage DNS configurations (add, remove, or update records, zones, and forwarders)
-
View DNS event logs
-
View security event logs
Only the actions listed here are allowed for the Admin account. The Admin account also lacks permissions for any directory-related actions outside of your specific OU, such as on the parent OU.
Important
Amazon Domain Administrators have full administrative access to all domains hosted on
Amazon. See your agreement with Amazon and the Amazon data protection FAQ
Note
We recommend that you do not delete or rename this account. If you no longer want to use the account, we recommend you set a long password (at most 64 random characters) and then disable the account.
Enterprise and domain administrator privileged accounts
Amazon automatically rotates the built-in Administrator password to a random password every 90 days. Anytime the built in Administrator password is requested for human use an Amazon ticket is created and logged with the Amazon Directory Service team. Account credentials are encrypted and handled over secure channels. Also the Administrator account credentials can only be requested by the Amazon Directory Service management team.
To perform operational management of your directory, Amazon has exclusive control of accounts with Enterprise Administrator and Domain Administrator privileges. This includes exclusive control of the Active Directory administrator account. Amazon protects this account by automating password management through the use of a password vault. During automated rotation of the administrator password, Amazon creates a temporary user account and grants it Domain Administrator privileges. This temporary account is used as a back-up in the event of password rotation failure on the administrator account. After Amazon successfully rotates the administrator password, Amazon deletes the temporary administrator account.
Normally Amazon operates the directory entirely through automation. In the event that an automation process is unable to resolve an operational problem, Amazon may need to have a support engineer sign in to your domain controller (DC) to perform diagnosis. In these rare cases, Amazon implements a request/notification system to grant access. In this process, Amazon automation creates a time-limited user account in your directory that has Domain Administrator permissions. Amazon associates the user account with the engineer who is assigned to work on your directory. Amazon records this association in our log system and provides the engineer with the credentials to use. All actions taken by the engineer are logged in the Windows event logs. When the allocated time elapses, automation deletes the user account.
You can monitor administrative account actions by using the log forwarding feature of your directory. This feature enables you to forward the AD Security events to your CloudWatch system where you can implement monitoring solutions. For more information, see Enabling Amazon CloudWatch Logs log forwarding for Amazon Managed Microsoft AD.
Security Event IDs 4624, 4672 and 4648 are all logged when someone logs onto a DC interactively. You can view each DC’s Windows Security event log using the Event Viewer Microsoft Management Console (MMC) from a domain joined Windows computer. You can also Enabling Amazon CloudWatch Logs log forwarding for Amazon Managed Microsoft AD to send all of the Security event logs to CloudWatch Logs in your account.
You might occasionally see users created and deleted within the Amazon Reserved OU. Amazon is responsible for the management and security of all objects in this OU and any other OU or container where we have not delegated permissions for you to access and manage. You may see creations and deletions in that OU. This is because Amazon Directory Service uses automation to rotate the Domain Administrator password on a regular basis. When the password is rotated, a backup is created in the event that the rotation fails. Once the rotation is successful, the backup account is automatically deleted. Also in the rare event that interactive access is needed on the DCs for troubleshooting purposes, a temporary user account is created for an Amazon Directory Service engineer to use. Once an engineer has completed their work, the temporary user account will be deleted. Note that every time interactive credentials are requested for a directory, the Amazon Directory Service management team is notified.