Hi,

Thank you for contacting us! I understand that you are facing an authorization error while trying to create a directory in AWS Directory Service. Please correct me if I have misunderstood your query.

Please refer to the following documentations to identify the permissions required to use the AWS Directory Service console and/or create the directory:

• [1] Using identity-based policies (IAM policies) for AWS Directory Service - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/IAM_Auth_Access_IdentityBased.html
• [2] Using identity-based policies (IAM policies) for AWS Directory Service - Example 2: Allow a user to create a directory - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/IAM_Auth_Access_IdentityBased.html#IAMPolicyExamples_DS_create_directory

The following documentation lists the AWS Directory Service APIs and required permissions for each of those operations:

• [3] AWS Directory Service API permissions: Actions, resources, and conditions reference - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html

Note how the CreateDirectory call requires the following permissions:

ds:CreateDirectory, ec2:DescribeSubnets, ec2:DescribeVpcs, ec2:CreateSecurityGroup, ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:AuthorizeSecurityGroupIngress, ec2:AuthorizeSecurityGroupEgress, ec2:CreateTags

Since you mentioned that you are creating the resource using an Admin account, I recommend checking for any denies from Service Control Policies as outlined in the following documentation:

• [4] https://aws.amazon.com/premiumsupport/knowledge-center/iam-access-denied-root-user/

Depending on the type of directory being created, our documentation has instructions that you can follow:

• [5] Tutorial: Create a Simple AD directory - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_tutorial_create.html

If you require assistance in troubleshooting this issue, I recommend creating a support case so we can discuss specifics on associated policies. Since re:Post is a public platform, please do not post any resource details here for security and privacy reasons.

Thanks again for reaching out to us! Looking forward to hearing from you.

Hello,

I understand that you are unable to create a new authorisation store in AWS Managed Microsoft directory d-9d672c8d1e using Admin account with access denied error.

I was able to reproduce the issue in my lab. I used the Admin account and opened AzMan.msc to create a new authorisation store in AD. If we use “CN=Program Data,DC=domain,DC=com” it will fail with access denied error. As you may be already aware that in AWS managed AD user does not have full control. Admin has the maximum allowed permissions.

Further, I tried with customer managed OU however it also failed. Then I reviewed the Microsoft document [1] and observed it either has to be “CN=Program Data,DC=domain,DC=com” or another container inside an OU.

In order to resolve the issue, you need to create a container inside the customer managed OU. Please refer to the below action plan.

Action Plan:

1. Login to the RSAT server using the Admin user.
2. Open PowerShell as administrator.
3. Run command —> (New-Guid).Guid
4. Now run below PowerShell command. Please modify the NetBios name and domain names accordingly.

New-ADObject -Name “Store” -Type Container -Path “OU=YourNetBIOSName,DC=YourDomainSuffix,DC=YourDomainRoot”

Example: New-ADObject -Name “Store” -Type Container -Path “OU=fabrikam,DC=fabrikam,DC=com”

5. The above command will create a container named Store inside the customer managed OU. Please note the customer managed OU is created with NetBios name of the domain.

6. Run dsa.msc command and turn on Advanced Features by choosing View in the Active Directory Users and Computers tool, and then choosing Advanced Features.

7. You should be able to see a container named Store under the customer managed OU.

8. Now open AzMan.msc and click on create New Authorisation Store. In the Store Name filed choose the location of the container created in above steps.

Example: In my lab, domain name is fabrikam.com and NetBios name is Fabrikam. The container I created is Store. So the store name in AzMan has to be below.

CN=test,CN=Store,OU=FABRIKAM,DC=Fabrikam,DC=com

You can replace CN=Test with any name you would like for the store.

Thanks again for reaching out to us! Looking forward to hearing from you.

References:

[1] Creating an Active Directory Store. https://learn.microsoft.com/en-us/windows/win32/secauthz/creating-an-authorization-policy-store-object-in-script

[2] How to Create a Container in AD. https://robinhobo.com/how-to-create-container-objects-in-active-directory-not-ous/