# Enabling or disabling user and group management or Amazon Directory Service Data
To use user and group management or Amazon Directory Service Data, it must be enabled. Once enabled, you can manage users and groups from the Amazon Web Services Management Console, Amazon CLI, or Amazon Tools for PowerShell.
**Important**
You can only enable this feature from the Primary Amazon Web Services Region for your directory. For more information, see [Primary vs additional Regions](https://docs.amazonaws.cn/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
For a list of regions that support Amazon Directory Service Data, see [Supported Amazon Web Services Regions for Directory Service Data](regions.md#regions_directory_service_data).
Access controls for Amazon Directory Service Data are different than access controls for Amazon Web Services services like Amazon WorkSpaces, Amazon Quick, and Amazon WorkMail. For more information, see [Amazon application authorization with Directory Service Data](ad_manage_apps_services_authorization.md#ad_manage_apps_services_authorization_ADSD).
## Enabling Amazon Directory Service Data
Use the following procedure to enable user and group management or Amazon Directory Service Data for an existing Amazon Managed Microsoft AD with either the Amazon Web Services Management Console, Amazon CLI, or Amazon Tools for PowerShell.
------
#### [ Amazon Web Services Management Console ]
You can enable user and group management with the Amazon Web Services Management Console.
**To enable user and group management**
1. Open the Amazon Directory Service console at [https://console.amazonaws.cn/directoryservicev2/](https://console.amazonaws.cn/directoryservicev2/).
1. On the **Directory details** page, to enable user and group management, select **Enable**.
1. In the **Enable user and group management** dialog box, select **Enable**.
------
#### [ Amazon CLI ]
The following describes how to format a request that enables the Amazon Directory Service Data CLI. You must include your Directory ID number in your request.
**Note**
The enable Amazon Directory Service Data CLI commands use `aws ds`.
**To enable Amazon Directory Service Data CLI**
+ Open the Amazon CLI, and run the following command, replacing the Directory ID with your Amazon Managed Microsoft AD Directory ID:
```
aws ds enable-directory-data-access --directory-id d-1234567890
```
------
#### [ Amazon Tools for PowerShell ]
**To enable Directory Service Data with Tools for PowerShell**
+ Open PowerShell, and run the following command, replacing the Directory ID with your Amazon Managed Microsoft AD Directory ID:
```
Enable-DSDirectoryDataAccess -DirectoryId d-1234567890
```
------
## Disabling Amazon Directory Service Data
Use the following procedure to disable user and group management or Amazon Directory Service Data for an existing Amazon Managed Microsoft AD with either the Amazon Web Services Management Console, Amazon CLI, or Amazon Tools for PowerShell.
------
#### [ Amazon Web Services Management Console ]
You can disable user and group management with the Amazon Web Services Management Console.
**To disable user and group management**
1. Open the Amazon Directory Service console at [https://console.amazonaws.cn/directoryservicev2/](https://console.amazonaws.cn/directoryservicev2/).
1. On the **Directory details** page, to disable user and group management, select **Disable**.
1. In the **Disable user and group management** dialog box, select **Disable**.
------
#### [ Amazon CLI ]
The following describes how to format a request that disables the Amazon Directory Service Data CLI. You must include your Directory ID number in your request.
**Note**
The disable Amazon Directory Service Data CLI commands use `aws ds`.
**To disable Amazon Directory Service Data CLI**
+ Open the Amazon CLI, and run the following command, replacing the Directory ID with your Amazon Managed Microsoft AD Directory ID:
```
aws ds disable-directory-data-access --directory-id d-1234567890
```
------
#### [ Amazon Tools for PowerShell ]
**To disable Directory Service Data with Tools for PowerShell**
+ Open PowerShell, and run the following command, replacing the Directory ID with your Amazon Managed Microsoft AD Directory ID:
```
Disable-DSDirectoryDataAccess -DirectoryId d-123456789
```
------