Active Directory service account permission requirements - Amazon Storage Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon FSx File Gateway documentation has been moved to What is Amazon FSx File Gateway?

Volume Gateway documentation has been moved to What is Volume Gateway?

Tape Gateway documentation has been moved to What is Tape Gateway?

Active Directory service account permission requirements

If you plan to use Microsoft Active directory to provide user authenticated access to the file shares on your gateway, make sure that you have an Activate Directory service account with delegated permissions to join computers to your domain. A service account is a user account that has been delegated certain tasks. You provide the username and password credentials for this account when you join a gateway to your Active Directory domain.

The service account must be delegated the following permissions in the OU to which you are joining your gateway:

  • Ability to create and delete computer objects

  • Ability to reset passwords

  • Ability to modify permissions

  • Ability to restrict accounts from reading and writing data

  • Validated ability to read and write Account Restrictions

  • Validated ability to write to the service principal name

  • Validated ability to write to the DNS host name

These represent the minimum set of permissions that are required to join computer objects to your Active Directory. For more information, see the Microsoft Windows Server documentation topic Error: Access is denied when non-administrator users who have been delegated control try to join computers to a domain controller.