- Newest
- Most votes
- Most comments
Hi,
Thank you for contacting us! I understand that you are facing an authorization error while trying to create a directory in AWS Directory Service. Please correct me if I have misunderstood your query.
Please refer to the following documentations to identify the permissions required to use the AWS Directory Service console and/or create the directory:
- [1] Using identity-based policies (IAM policies) for AWS Directory Service - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/IAM_Auth_Access_IdentityBased.html
- [2] Using identity-based policies (IAM policies) for AWS Directory Service - Example 2: Allow a user to create a directory - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/IAM_Auth_Access_IdentityBased.html#IAMPolicyExamples_DS_create_directory
The following documentation lists the AWS Directory Service APIs and required permissions for each of those operations:
- [3] AWS Directory Service API permissions: Actions, resources, and conditions reference - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html
Note how the CreateDirectory call requires the following permissions:
ds:CreateDirectory, ec2:DescribeSubnets, ec2:DescribeVpcs, ec2:CreateSecurityGroup, ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:AuthorizeSecurityGroupIngress, ec2:AuthorizeSecurityGroupEgress, ec2:CreateTags
Since you mentioned that you are creating the resource using an Admin account, I recommend checking for any denies from Service Control Policies as outlined in the following documentation:
Depending on the type of directory being created, our documentation has instructions that you can follow:
- [5] Tutorial: Create a Simple AD directory - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_tutorial_create.html
If you require assistance in troubleshooting this issue, I recommend creating a support case so we can discuss specifics on associated policies. Since re:Post is a public platform, please do not post any resource details here for security and privacy reasons.
Thanks again for reaching out to us! Looking forward to hearing from you.
Hello,
I understand that you are unable to create a new authorisation store in AWS Managed Microsoft directory d-9d672c8d1e using Admin account with access denied error.
I was able to reproduce the issue in my lab. I used the Admin account and opened AzMan.msc to create a new authorisation store in AD. If we use “CN=Program Data,DC=domain,DC=com” it will fail with access denied error. As you may be already aware that in AWS managed AD user does not have full control. Admin has the maximum allowed permissions.
Further, I tried with customer managed OU however it also failed. Then I reviewed the Microsoft document [1] and observed it either has to be “CN=Program Data,DC=domain,DC=com” or another container inside an OU.
In order to resolve the issue, you need to create a container inside the customer managed OU. Please refer to the below action plan.
Action Plan:
- Login to the RSAT server using the Admin user.
- Open PowerShell as administrator.
- Run command —> (New-Guid).Guid
- Now run below PowerShell command. Please modify the NetBios name and domain names accordingly.
New-ADObject -Name “Store” -Type Container -Path “OU=YourNetBIOSName,DC=YourDomainSuffix,DC=YourDomainRoot”
Example: New-ADObject -Name “Store” -Type Container -Path “OU=fabrikam,DC=fabrikam,DC=com”
-
The above command will create a container named Store inside the customer managed OU. Please note the customer managed OU is created with NetBios name of the domain.
-
Run dsa.msc command and turn on Advanced Features by choosing View in the Active Directory Users and Computers tool, and then choosing Advanced Features.
-
You should be able to see a container named Store under the customer managed OU.
-
Now open AzMan.msc and click on create New Authorisation Store. In the Store Name filed choose the location of the container created in above steps.
Example: In my lab, domain name is fabrikam.com and NetBios name is Fabrikam. The container I created is Store. So the store name in AzMan has to be below.
CN=test,CN=Store,OU=FABRIKAM,DC=Fabrikam,DC=com
You can replace CN=Test with any name you would like for the store.
Thanks again for reaching out to us! Looking forward to hearing from you.
References:
[1] Creating an Active Directory Store. https://learn.microsoft.com/en-us/windows/win32/secauthz/creating-an-authorization-policy-store-object-in-script
[2] How to Create a Container in AD. https://robinhobo.com/how-to-create-container-objects-in-active-directory-not-ous/
Relevant content
- asked 3 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago