A Step-by-Step Guide to Managing Users in AWS Managed Microsoft AD
Introduction
In today’s dynamic IT environments, managing user accounts and permissions efficiently is crucial for maintaining security and productivity. AWS Managed Microsoft AD provides a robust solution for handling Active Directory needs in the cloud, offering seamless integration with AWS services. This blog will guide you through the process of managing users within AWS Managed AD, including creating, deleting, and viewing users. Additionally, we’ll explore why AWS Workspaces is an invaluable tool for testing and managing these user accounts, offering isolated and consistent environments that simplify the user management process.
- For this demo, you need to have your AD created first. It’s simple — just create an AD with any domain name using the “AWS Managed Microsoft AD” option. It will take approximately 15–20 minutes to complete. You can also refer to the official documentation for assistance. Make sure to set the “Administrative Password” during AD creation, as we will need it later.
2. There are now two ways to manage users. The first option is to launch an Administrative EC2 instance directly from your AD, which you can find inside the AD console. The second option is to launch an EC2 server and manually install or configure AD on it. We will go with the second option
3. Go to EC2, click on “Launch Instance,” and select the “Windows Server 2019 Base” image. Create a PEM file, as we will need it to connect to the server. You can leave the other options at their default settings, then launch your server using the “t3.medium” instance size
4. After successfully launching the instance, select it and click on “Connect.” Choose the “RDP” option and download the RDP file. To unlock your password, click on “Get Password,” upload your PEM file, and click on “Decrypt Password.” You will then see the password — copy it and log in to the Windows server.
5. Now we need to change our domain name or workgroup, but before doing that, let’s add our AD DNS to the IPv4 settings so that it can recognize the DNS. To do this, search for “ncpa.cpl” to open the network settings. Then, open the properties, go to the IPv4 settings, and click on properties. Next, go to your AD and copy the DNS address. Paste it into the IPv4 properties. You can also copy the DNS name, then click “OK.”
6. Now go to My PC → Properties → Change Settings (for workgroup settings).
7. Then click on “Change to domain name,” click on the “Change” button, select “Domain,” and enter your domain name (the same as your AD domain name). After that, click “OK.”
8. After clicking “OK,” a pop-up box will appear asking for the “admin password.” This is the password you set in the first step while creating the AD. You will need to enter that password here.
9. If everything is set up correctly, after entering your password, a dialog box will appear confirming that you have successfully changed your domain name. Click “OK,” and it will prompt you to “Restart.” You can then restart your machine.
10. Now try to log in to the server. Use the admin credentials in the format yourdomainname\Admin followed by the “Admin Password.” Click “OK,” and you should be able to access your server.
11. Now go to Server Manager to configure the server. Click on Add Roles & Features → click Next → choose Role-based or feature-based installation and click Next → proceed to the Features section and stop there.
In the Features section, go to Remote Server Administration Tools → Role Administration Tools → select AD DS and AD LDS Tools, AD Certificate Services Tools, and AD Rights Management Services Tools. You can also see the server name in the right-hand corner, which should be your domain name. Click Next and then Install. After the installation is complete, reboot the server.
12. After rebooting the server, log in with the same credentials: domainname\admin and the password. Then go to Windows Administrative Tools.
13. Then go to Active Directory Users and Computers, and click on the drop-down next to your domain name. Click on Users under the domain to view the list of users. You should be able to see your users there.
14. As of now, there is only one user called “Admin.” Now let’s create a new user. To check the existing user, we will launch AWS Workspaces from the Workspace Service so that users can access their workspace with the newly created user.
15. Before launching Workspaces, you need to Register your directory.
16. Now go to Personal Options → Create Workspace → choose I know what Workspace options I need for my use case → select Personal Use → and then select your directory where you can see the default user.
17. Stay on this page and do not select any user. Go to your Windows Server, where we left off on the user screen. Right-click and choose New → User. Enter the username details as follows or as desired. On the next window, provide a password and click Finish. The user will be created (use the format “abc.xyz” for the user logon name).
18. Now go back to the Workspace console where you see the existing users. Click on the Refresh button on the same page, and you should see the newly created user.
19. Obviously, you can create a user using the Create User button. However, if a user leaves, you cannot delete them from the AWS console. You need to go to AD and delete the user from the Users option.
20. To delete the user, go back to your server, select the user you want to delete, right-click on the user, choose Delete, and confirm the deletion. The user will be deleted.
21. Now refresh the AWS Workspaces console once again, and you will see that the user is no longer there.
22. In this way, you can manage your AWS Managed Microsoft AD.
23. Why WorkSpace..?
AWS Workspaces offers a robust solution for testing and managing users with AWS Managed AD. One of the primary reasons for using AWS Workspaces is its ability to provide isolated and consistent virtual environments. This setup allows you to create, manage, and test user accounts and permissions in a secure and controlled manner without affecting your primary systems.
Workspaces enable you to simulate various user scenarios and configurations, ensuring that changes to user management in AWS Managed AD are properly tested before implementation. This isolation helps in identifying and resolving potential issues in a risk-free environment, thereby enhancing the reliability and security of your user management processes.
Furthermore, AWS Workspaces simplifies the management of user environments by offering flexibility and scalability. You can quickly spin up or tear down virtual desktops as needed, ensuring that you have the right resources available for different testing phases.
Conclusion
By leveraging AWS Managed Microsoft AD and AWS Workspaces, you can streamline your user management processes and ensure a secure and efficient environment for testing and administrative tasks. AWS Managed AD simplifies user and group management in the cloud, while AWS Workspaces provides a flexible and controlled platform for testing changes without disrupting your primary systems. Implementing these tools together enhances your ability to manage users effectively, supports better security practices, and optimizes your IT operations. As you integrate these solutions, you’ll find that maintaining a robust and secure user management system becomes a more manageable and reliable task.
