# User and group management in AWS Managed Microsoft AD User and group management You can manage users and groups in AWS Managed Microsoft AD. You create a user to represent a person or entity that can access your directory. You can also create a group to grant and deny permissions to more than one user at a time. You can add not only users to a group, but also groups to a group. When you add a user to a group, the user inherits the roles and permissions assigned to the group. When you add a group to a group, the groups share a parent-child relationship, where the child group inherits the roles and permissions assigned to the parent group. You can also copy a user's group memberships into another user. You can manage users and groups with [AWS Directory Service Data](ms_ad_getting_started_directory_service_data.md) using the following methods: + [AWS Management Console](#ms_ad_manage_users_groups_with_console) + [AWS CLI](#ms_ad_manage_users_groups_console_cli) + [AWS Directory Service Data API](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html) + [AWS Tools for Windows PowerShell](https://docs.aws.amazon.com/powershell/latest/reference/items/DirectoryServiceData_cmdlets.html) For a demonstration of the AWS Directory Service Data CLI, see the following YouTube video. [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/GJK567cuBu0?si=vb9KNV5JOWDXELSI/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/GJK567cuBu0?si=vb9KNV5JOWDXELSI) Alternatively, you can use a [domain-joined instance](#ms_ad_manage_users_groups_with_instance). ## Manage users and groups with the AWS Management Console AWS Management Console You can manage users and groups with the AWS Management Console with AWS Directory Service Data. Directory Service Data is an extension of Directory Service that provides you with the ability to perform built-in object management tasks. Some of these tasks include creating users and groups and adding users to groups as well as groups to a group. For more information, see [Manage AWS Managed Microsoft AD users and groups with the AWS Management Console](ms_ad_manage_users_groups_procedures.md). **Note** To use this feature, it must be enabled. For more information, see [Enable user and group management](ms_ad_users_groups_mgmt_enable_disable.md). You can only manage users and groups with the AWS Management Console from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). ## Manage users and groups with the AWS CLI AWS CLI You can manage users and groups with the AWS CLI through the [AWS Directory Service Data API](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html). Directory Service Data is an extension of Directory Service that provides you with the ability to perform built-in object management tasks using the `ds-data` namespace. Some of these tasks include creating users and groups and adding users to groups as well as groups to a group. **Create a user with AWS Directory Service Data CLI** The following is an example AWS CLI command that uses the `ds-data` namespace to create a user. ``` aws ds-data create-user --directory-id d-1234567890 --sam-account-name "jane.doe" --region your-Primary-Region-name ``` **Note** To use this AWS CLI, it must be enabled. For more information, see [Enabling or disabling user and group management or AWS Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). You can only manage users and groups with the AWS Directory Service Data CLI from the primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like. [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies) For more information, see [Manage AWS Managed Microsoft AD users and groups with the AWS CLI](ms_ad_manage_users_groups_procedures.md). ## Manage users and groups with AWS Tools for PowerShell AWS Tools for PowerShell The [AWS Tools for PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-welcome.html) provides two separate modules for managing AWS Directory Service: `AWS.Tools.DirectoryService` (DS) and `AWS.Tools.DirectoryServiceData` (DSD). When working with AWS Directory Service, ensure you're using the appropriate module for your intended operation. + The `DirectoryService` module contains cmdlets for managing directory service configuration and administration, including cmdlets like `Enable-DSDirectoryDataAccess`, `Disable-DSDirectoryDataAccess`, and `Reset-DSUserPassword`. + The `DirectoryServiceData` module contains cmdlets for performing operations within a directory, specifically focused on user and group management. These DSD cmdlets include user management operations (`New-DSDUser`, `Get-DSDUser`, `Update-DSDUser`, and `Remove-DSDUser`), group management operations (`New-DSDGroup`, `Get-DSDGroup`, and `Update-DSDGroup`, `Remove-DSDGroup`), group membership management (`Add-DSDGroupMember`, and `Remove-DSDGroupMember`), and search functionality (`Search-DSDUser` and `Search-DSDGroup`). ## Manage users and groups with an on-premise instance or Amazon EC2 instance On-premises or Amazon EC2 instance If the AWS Directory Service Data doesn't support your use case, we recommend managing users and groups with an on-premise or EC2 instance. To create users and groups in an AWS Managed Microsoft AD, you can use any instance (from either on-premises or EC2) that has been joined to your AWS Managed Microsoft AD. You need to be logged in as a user that has privileges to create users and groups. You will also need to install the Active Directory Tools on your instance so you can add your users and groups with the Active Directory Users and Computers tool. + You can deploy a pre-configured EC2 instance with preinstalled Active Directory administrative tools from Directory Service management console. For more information, see [Launching a directory administration instance in your AWS Managed Microsoft AD Active Directory](console_instance.md). + If you need to deploy a self-managed EC2 instance with administrative tools and install the necessary tools, see [Step 3: Deploy an Amazon EC2 instance to manage your AWS Managed Microsoft AD Active Directory](microsoftadbasestep3.md). **Topics** + [ ## Manage users and groups with the AWS Management Console ](#ms_ad_manage_users_groups_with_console) + [ ## Manage users and groups with the AWS CLI ](#ms_ad_manage_users_groups_console_cli) + [ ## Manage users and groups with AWS Tools for PowerShell ](#ms_ad_manage_users_groups_pwershell) + [ ## Manage users and groups with an on-premise instance or Amazon EC2 instance ](#ms_ad_manage_users_groups_with_instance) + [ # Manage AWS Managed Microsoft AD users and groups with the AWS Management Console, AWS CLI, or AWS Tools for PowerShell ](ms_ad_manage_users_groups_procedures.md) + [ # Manage users and groups with an Amazon EC2 instance ](ms_ad_manage_users_groups_ec2.md) # Manage AWS Managed Microsoft AD users and groups with the AWS Management Console, AWS CLI, or AWS Tools for PowerShell Manage users and group with the console, CLI, or PowerShell You can use the AWS Management Console, AWS CLI, or AWS Tools for PowerShell to manage your AWS Managed Microsoft AD users and groups with [AWS Directory Service Data](ms_ad_getting_started_directory_service_data.md). The AWS Directory Service Data CLI uses the `ds-data` namespace. For more information on the AWS CLI, see [ Getting started with AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). For more information on AWS Tools for PowerShell, see [AWS Tools for PowerShell User Guide](https://docs.aws.amazon.com//powershell/latest/userguide/pstools-welcome.html). See the following procedures for more information on creating, viewing, updating, and deleting AWS Managed Microsoft AD users and groups. **Topics** + [ # Enabling or disabling user and group management or AWS Directory Service Data ](ms_ad_users_groups_mgmt_enable_disable.md) + [ # Creating an AWS Managed Microsoft AD user ](ms_ad_create_user.md) + [ # Viewing and updating an AWS Managed Microsoft AD user ](ms_ad_view_update_user.md) + [ # Deleting an AWS Managed Microsoft AD user ](ms_ad_delete_user.md) + [ # Disabling an AWS Managed Microsoft AD user ](ms_ad_disable_user.md) + [ # Resetting and enabling an AWS Managed Microsoft AD user's password ](ms_ad_reset_user_pswd.md) + [ # Creating an AWS Managed Microsoft AD group ](ms_ad_create_group.md) + [ # Viewing and updating an AWS Managed Microsoft AD group's details ](ms_ad_view_update_group.md) + [ # Deleting an AWS Managed Microsoft AD group ](ms_ad_delete_group.md) + [ # Adding and removing AWS Managed Microsoft AD members to groups and groups to groups ](ms_ad_add_remove_user_group.md) + [ # Copying an AWS Managed Microsoft AD group memberships in the AWS Management Console ](copy_group_membership.md) # Enabling or disabling user and group management or AWS Directory Service Data Enabling or disabling AWS Directory Service Data To use user and group management or AWS Directory Service Data, it must be enabled. Once enabled, you can manage users and groups from the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. **Important** You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). For a list of regions that support AWS Directory Service Data, see [Supported AWS Regions for Directory Service Data](regions.md#regions_directory_service_data). Access controls for AWS Directory Service Data are different than access controls for AWS services like Amazon WorkSpaces, Amazon Quick, and Amazon WorkMail. For more information, see [AWS application authorization with Directory Service Data](ad_manage_apps_services_authorization.md#ad_manage_apps_services_authorization_ADSD). ## Enabling AWS Directory Service Data Use the following procedure to enable user and group management or AWS Directory Service Data for an existing AWS Managed Microsoft AD with either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. ------ #### [ AWS Management Console ] You can enable user and group management with the AWS Management Console. **To enable user and group management** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. On the **Directory details** page, to enable user and group management, select **Enable**. 1. In the **Enable user and group management** dialog box, select **Enable**. ------ #### [ AWS CLI ] The following describes how to format a request that enables the AWS Directory Service Data CLI. You must include your Directory ID number in your request. **Note** The enable AWS Directory Service Data CLI commands use `aws ds`. **To enable AWS Directory Service Data CLI** + Open the AWS CLI, and run the following command, replacing the Directory ID with your AWS Managed Microsoft AD Directory ID: ``` aws ds enable-directory-data-access --directory-id d-1234567890 ``` ------ #### [ AWS Tools for PowerShell ] **To enable Directory Service Data with Tools for PowerShell** + Open PowerShell, and run the following command, replacing the Directory ID with your AWS Managed Microsoft AD Directory ID: ``` Enable-DSDirectoryDataAccess -DirectoryId d-1234567890 ``` ------ ## Disabling AWS Directory Service Data Use the following procedure to disable user and group management or AWS Directory Service Data for an existing AWS Managed Microsoft AD with either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. ------ #### [ AWS Management Console ] You can disable user and group management with the AWS Management Console. **To disable user and group management** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. On the **Directory details** page, to disable user and group management, select **Disable**. 1. In the **Disable user and group management** dialog box, select **Disable**. ------ #### [ AWS CLI ] The following describes how to format a request that disables the AWS Directory Service Data CLI. You must include your Directory ID number in your request. **Note** The disable AWS Directory Service Data CLI commands use `aws ds`. **To disable AWS Directory Service Data CLI** + Open the AWS CLI, and run the following command, replacing the Directory ID with your AWS Managed Microsoft AD Directory ID: ``` aws ds disable-directory-data-access --directory-id d-1234567890 ``` ------ #### [ AWS Tools for PowerShell ] **To disable Directory Service Data with Tools for PowerShell** + Open PowerShell, and run the following command, replacing the Directory ID with your AWS Managed Microsoft AD Directory ID: ``` Disable-DSDirectoryDataAccess -DirectoryId d-123456789 ``` ------ # Creating an AWS Managed Microsoft AD user Creating a user Use the following procedure to create a new AWS Managed Microsoft AD user with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. **Before you begin either procedure, you need to complete the following:** + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). ------ #### [ AWS Management Console ] You can create a new AWS Managed Microsoft AD user account in the AWS Management Console. When you create a new user account, you specify the new user's details and determine whether to add the new user to a group or copy another user's group memberships into the new user. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). **To create an AWS Managed Microsoft AD user with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. On the **Directory details** page, under the **Users** section, choose **Create users account**. 1. The **Specify user details** page opens. Under the **Required information** section, enter a user logon name and password. User logon names must meet the following conditions: + Must be a unique logon name + Can be up to 20 characters long + Can only contain alphanumeric characters + \$1\$1@\$1\$1%^&\$1\$1-\$1=`\$1\$1()\$1\$1[]:;"'<>,.?/ + The password must adhere to your password policy requirements. Check with your AWS administrator for more information. **Warning** The user logon name cannot be changed after the user is created. 1. *(Optional)* Under the **Primary information** section, you can enter a first and last name for the user. You can also enter a display name and description for the user. 1. *(Optional)* Under the **Contact methods** section, you can enter an email address and telephone numbers for the user. 1. *(Optional)* Under the **Job-related information** section, you can enter a department, manager, office, and company for the user. 1. *(Optional)* Under the **Address** section, you can enter an address for the user. 1. *(Optional)* Under the **Account settings** section, you can enter notes, a preferred language, and service principal name for the user. For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes). 1. Choose **Next** once you've provided the user account details. 1. On the **Add users to groups - *optional*** page, you can add the user to a new group or to an existing group. You can also copy the group membership of an existing user to the new user. If you don't want to add a user to a group, choose **Next**. Move to Step 12 to continue this procedure. 1. *(Optional)* To create a new group, see [Create a AWS Managed Microsoft AD group](ms_ad_create_group.md). 1. *(Optional)* To add a new user to an existing group: 1. Select the group you want to add the new user to in the **Groups** section. To find groups, enter the group name in the search box. 1. *(Optional)* To copy the group membership of an existing user to a new user: 1. Choose the **Copy group membership from user** tab. To find a user with a group membership you want to copy, enter the user logon name in the search box under the **Users** section. 1. In the **Selected groups** section, select the groups the new user should become a member of. 1. Choose **Next** when you're ready to create the new user account. 1. On the **Review and create user** page, review all the choices you made. Choose **Create user**. 1. After the user is configured, you've taken to the new user's details page. A banner appears stating the user was successfully created. **Important** If you receive an error message telling you that you don't have permission to create a user, follow the instructions in the error message to request that your administrator grant you access. ------ #### [ AWS CLI ] The following describes how to format a request that creates a new AWS Managed Microsoft AD user account with the AWS Directory Service Data CLI. You must include your directory ID number and a user logon name in your request. You can also include other attributes, such as a user display name with the `DisplayName` attribute. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). **To create an AWS Managed Microsoft AD user with AWS CLI** + Open the AWS CLI, and run the following command, replacing the Directory ID, username, and display name with your AWS Managed Microsoft AD Directory ID and desired credentials: ``` aws ds-data create-user \ --directory-id d-1234567890 \ --sam-account-name "jane.doe" \ --other-attributes '{ "DisplayName" : { "S": "jane.doe"}, "Department":{ "S": "Legal"} }‘ ``` ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that creates a new AWS Managed Microsoft AD user account with AWS Tools for PowerShell. You must include your directory ID number and a user logon name in your request. You can also include other attributes, such as a user display name with the `DisplayName` attribute. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). **To create an AWS Managed Microsoft AD user with Tools for PowerShell** + Open PowerShell, and run the following command, replacing the Directory ID, username, and display name with your AWS Managed Microsoft AD Directory ID and desired credentials: ``` New-DSDUser ` -DirectoryId d-1234567890 ` -SAMAccountName "jane.doe" ` -OtherAttribute @{ DisplayName = [Amazon.DirectoryServiceData.Model.AttributeValue]@{S = 'jane.doe' } Department = [Amazon.DirectoryServiceData.Model.AttributeValue]@{S = 'Legal' } } ``` ------ # Viewing and updating an AWS Managed Microsoft AD user Viewing and updating a user Use the following procedure to view or update an AWS Managed Microsoft AD user's details with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. ## Viewing an AWS Managed Microsoft AD user's details Viewing a user's details You can view a user's details in the AWS Management Console or AWS CLI. The user's details includes profile and account information and group membership. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md). ------ #### [ AWS Management Console ] You can view an AWS Managed Microsoft AD user's details in the AWS Management Console. **To view an AWS Managed Microsoft AD user's details and account details with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Users**. The tab shows a list of users in your directory. 1. Select a user. You're directed to the **User details** screen. The **User details** screen shows the following information: + Groups the user is a member of (group memberships) + Profile details (such as primary information like user logon name, first name, last name, etc.) + Account settings (such as account information like user principal name, service principal name, distinguished name, etc.) + Account status For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes). ------ #### [ AWS CLI ] With the AWS CLI, you can view a user's details, which includes profile and account information and group memberships. **To view an AWS Managed Microsoft AD user's profile and account details with the AWS CLI** The following describes how to view an AWS Managed Microsoft AD user's details with the AWS Directory Service Data CLI. + To view a user's details, open the AWS CLI, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: ``` aws ds-data describe-user --directory-id d-1234567890 --sam-account-name "jane.doe" ``` **To view a user's group memberships** The following describes how to view an AWS Managed Microsoft AD user's group membership with the AWS Directory Service Data CLI. + To view a user's group memberships, open the AWS CLI, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: ``` aws ds-data list-groups-for-member --directory-id d-1234567890 --sam-account-name "jane.doe" ``` For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes). ------ #### [ AWS Tools for PowerShell ] With Tools for PowerShell, you can view a user's details, which includes profile and account information and group memberships. **To view an AWS Managed Microsoft AD user's profile and account details with Tools for PowerShell** The following describes how to view an AWS Managed Microsoft AD user's details with the Tools for PowerShell. + To view a user's details, open the PowerShell, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: ``` Get-DSDUser -DirectoryId d-1234567890 -SAMAccountName "jane.doe" ``` **To view a user's group memberships** The following describes how to view an AWS Managed Microsoft AD user's group membership with the Tools for PowerShell. + To view a user's group memberships, open the PowerShell, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: ``` (Get-DSDGroupsForMemberList -DirectoryId d-1234567890 -SAMAccountName "jane.doe").Groups ``` For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes). ------ ## Updating an AWS Managed Microsoft AD user's details Updating a user's details Use the following procedure to update an AWS Managed Microsoft AD user with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, AWS Tools for PowerShell. **Note** The minimum attribute length is 1. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md). ------ #### [ AWS Management Console ] You can update an AWS Managed Microsoft AD user's details in the AWS Management Console. **To update an AWS Managed Microsoft AD user's details with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Users**. The tab shows a list of users in your directory. 1. Select a user. To find a user, enter the user logon name in the search box under the **Users** section. You're directed to the **User details** screen. 1. To edit groups the user is a member of, choose **Groups**. From this tab, you can add and remove the user from groups. For more information, see [Add an AWS Managed Microsoft AD member to a group](ms_ad_add_remove_user_group.md). 1. To edit the user's profile details, choose **Profile**, and then choose **Edit**. Or choose **Actions**, and then choose **Edit user**. Make and review your updates, and then choose **Save**. **Warning** The user logon name cannot be changed after the user is created. 1. To edit the user's account settings, choose **User account settings**. Or choose **Actions**, and then choose **Edit user**. Make and review your updates, and then choose **Save**. For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes). ------ #### [ AWS CLI ] The following describes how to format a request that updates an AWS Managed Microsoft AD user's details with AWS Directory Service Data CLI. When you update a user's account, you must include your directory ID number and user logon name. You also must include the update type and attribute you want to update in your request, such as a user last name with the `Surname` parameter. For more information, see [AWS Directory Service Data attributes](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_data_attributes.html). + To update a user's details, open the AWS CLI, and run the following command, replacing the Directory ID, username, user type, and attribute value with your AWS Managed Microsoft AD Directory ID, username, and desired user type and attribute value: ``` aws ds-data update-user --directory-id d-1234567890 --sam-account-name "jane.doe" --update-type "REPLACE" --surname "Doe" ``` **Note** When removing user attributes with [update-user](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ds-data/update-user.html) CLI command, you must specify the attribute and the exact value to be removed. To determine user attributes, use [describe-user](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ds-data/describe-user.html) command. For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes). ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that updates an AWS Managed Microsoft AD user's details with AWS Tools for PowerShell. When you update a user's account, you must include your directory ID number and user logon name. You also must include the update type and attribute you want to update in your request, such as a user last name with the `Surname` parameter. For more information, see [AWS Directory Service Data attributes](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_data_attributes.html). + To update a user's details, open the PowerShell, and run the following command, replacing the Directory ID, username, user type, and attribute value with your AWS Managed Microsoft AD Directory ID, username, and desired user type and attribute value: ``` Update-DSDUser -DirectoryId d-1234567890 -SAMAccountName "jane.doe" -UpdateType "REPLACE" -Surname "Doe" ``` For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes). ------ # Deleting an AWS Managed Microsoft AD user Deleting a user Use the following procedure to delete an AWS Managed Microsoft AD user with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, AWS Tools for PowerShell. **Important** When you delete a user's account from a directory, all information about the user is removed, including any permissions the user has to access their account and applications. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md). ------ #### [ AWS Management Console ] You can delete an AWS Managed Microsoft AD user account in the AWS Management Console. **To delete an AWS Managed Microsoft AD user account with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Users**. The tab shows a list of users in your directory. 1. Choose the user whose account you want to delete. To find a user, enter the user logon name in the search box under the **Users** section. You're directed to the **User details** screen. 1. Choose **Actions**. Then choose **Delete user account** and **Delete user account** again. ------ #### [ AWS CLI ] The following describes how to format a request that deletes an AWS Managed Microsoft AD user's account with the AWS Directory Service Data CLI. **To delete an AWS Managed Microsoft AD user account with AWS CLI** + Open the AWS CLI, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: ``` aws ds-data delete-user --directory-id d-1234567890 --sam-account-name "jane.doe" ``` ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that deletes an AWS Managed Microsoft AD user's account with AWS Tools for PowerShell. **To delete an AWS Managed Microsoft AD user account with AWS Tools for PowerShell** + Open PowerShell, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: ``` Remove-DSDUser -DirectoryId d-1234567890 -SAMAccountName "jane.doe" ``` ------ # Disabling an AWS Managed Microsoft AD user Disabling a user Use the following procedure to disable an AWS Managed Microsoft AD user with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. **Important** When you disable a user's account, the user loses any permissions to access their account and applications. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md). ------ #### [ AWS Management Console ] You can disable an AWS Managed Microsoft AD user account in the AWS Management Console. **To disable an AWS Managed Microsoft AD user account with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Users**. The tab shows a list of users in your directory. 1. Choose the user whose account you want to disable. You're directed to the **User details** screen. 1. Choose **Actions**. Then choose **Disable user account** and **Disable user account** again. **Note** To re-enable your user's account, you must reset the user's password. For more information, see [Resetting and enabling an AWS Managed Microsoft AD user's password](ms_ad_reset_user_pswd.md). ------ #### [ AWS CLI ] The following describes how to format a request that disables an AWS Managed Microsoft AD user account with the AWS Directory Service Data CLI. **To disable an AWS Managed Microsoft AD user account with the AWS CLI** + Open the AWS CLI, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: ``` aws ds-data disable-user --directory-id d-1234567890 --sam-account-name "jane.doe" ``` **Note** To re-enable your user account, you must reset the user's password. For more information, see [Resetting and enabling an AWS Managed Microsoft AD user's password](ms_ad_reset_user_pswd.md). ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that disables an AWS Managed Microsoft AD user account with AWS Tools for PowerShell. **To disable an AWS Managed Microsoft AD user account with AWS Tools for PowerShell** + Open PowerShell;, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: ``` Disable-DSDUser -DirectoryId d-1234567890 -SAMAccountName "jane.doe" ``` **Note** To re-enable your user account, you must reset the user's password. For more information, see [Resetting and enabling an AWS Managed Microsoft AD user's password](ms_ad_reset_user_pswd.md). ------ # Resetting and enabling an AWS Managed Microsoft AD user's password Resetting and enabling a user's password Use the following procedure to reset an AWS Managed Microsoft AD user's password to enable their account with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, AWS Tools for PowerShell. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md). ------ #### [ AWS Management Console ] You can reset an AWS Managed Microsoft AD user's password to enable their account in the AWS Management Console. You can perform this task from either the **Directories** screen or **Directory details** screen. **Directories** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose **Actions**, and then choose **Reset user password and enable account**. 1. Under **User logon name**, enter the user logon name for the user whose password you want to reset. 1. Under **New password**, enter the user's new password. 1. Under **Confirm password**, enter user's new password again. 1. After you confirm the user's new password, choose **Reset password and enable account**. **Directory details** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Users**. The tab shows a list of users in your directory. 1. Select the user whose password you want to reset. 1. Choose **Actions**, and then choose **Reset user password and enable account**. 1. Under **New password**, enter the user's new password. 1. Under **Confirm password**, enter user's new password again. 1. After you confirm the user's new password, choose **Reset password and enable account**. ------ #### [ AWS CLI ] You can reset an AWS Managed Microsoft AD use's password to enable their account with the AWS Directory Service Data CLI. **Note** The reset user's password command uses `aws ds`. **To reset an AWS Managed Microsoft AD user's password with the AWS CLI** + To reset a user's password, open the AWS CLI, and run the following command, replacing the Directory ID, username, and password with your AWS Managed Microsoft AD Directory ID, username, and desired credentials: ``` aws ds reset-user-password --directory-id d-1234567890 --user-name "jane.doe" --new-password "your-password" ``` ------ #### [ AWS Tools for PowerShell ] You can reset an AWS Managed Microsoft AD use's password to enable their account with AWS Tools for PowerShell. **To reset an AWS Managed Microsoft AD user's password with AWS Tools for PowerShell** + To reset a user's password, open the PowerShell, and run the following command, replacing the Directory ID, username, and password with your AWS Managed Microsoft AD Directory ID, username, and desired credentials: ``` Reset-DSUserPassword -DirectoryId d-1234567890 -UserName "jane.doe" -NewPassword "your-password" ``` ------ # Creating an AWS Managed Microsoft AD group Creating a group Use the following procedure to create an AWS Managed Microsoft AD group with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). ------ #### [ AWS Management Console ] You can create a new AWS Managed Microsoft AD group in the AWS Management Console. When you create a new group, you specify the group's details and determine the [group's type and scope](ad_group_type_and_scope.md). You also have the option to add users and child groups to your new group or add your new group to a parent group. **To create an AWS Managed Microsoft AD group with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Group**. The tab shows a list of groups in your AWS Region. 1. Choose **Create group**. You're directed to a procedure where you finish creating your new group. 1. The **Specify group details** page opens. Enter a **Group name**. Group names must meet the following conditions: + Must be unique group name + Can be up to 64 characters long + Can only contain alphanumeric characters + \$1\$1@\$1\$1%^&\$1\$1-\$1=`\$1\$1()\$1\$1[]:;"'<>,.?/ **Warning** The group name cannot be changed after the group is created. 1. Choose the **Group type** from one of the following: + **Security** + **Distribution** + To learn more, see [Group type](ad_group_type_and_scope.md#ad_group_type). 1. Choose the **Group scope** from one of the following: + **Domain local** + **Universal** + **Global** + You can turn on **Compare scopes** to display a chart of the similarities and differences between group scopes. To learn more, see [Group scope](ad_group_type_and_scope.md#ad_group_scope). 1. After providing the primary information and contact methods, choose **Next**. 1. The **Add users to group - *Optional*** page opens and you can add users to the new group. To find a user to add to the group, enter the user logon name in the search box under the **Users** section. Select the users you want to add to the group and choose **Next**. 1. The **Add child groups - *Optional*** page opens and you can add existing groups to the new group. The existing groups becomes child groups of the newly created group. When you add a child group to your group, your group becomes the parent group, and the child group inherits all of your group's roles and permissions. To find groups to add, enter the group name in the search box under the **Add child groups** section. Select the children groups you want to add to the new group and choose **Next**. 1. The **Add parent groups - *Optional*** page opens and you can add the new group to existing groups. The new group becomes the parent group of the existing groups. When you add your group to a parent group, your group becomes the child group and inherits all of the parent group's roles and permissions. To find groups to add, enter the group name in the search box under the **Add parent groups** section. Select the parent groups you want to add to the new group and choose **Next**. 1. On the **Review and create group** page, review your choices, and then choose **Create group**. ------ #### [ AWS CLI ] The following describes how to format a request that creates an AWS Managed Microsoft AD group with the AWS Directory Service Data CLI. When you create a new group, you must include your Directory ID number and a group name. You can also add other attributes, such as a group display name with the `DisplayName` attribute. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). **To create an AWS Managed Microsoft AD group with the AWS CLI** + Open the AWS CLI, and run the following command, replacing the Directory ID, username and group display name with your AWS Managed Microsoft AD Directory ID, username, and desired group display name: ``` aws ds-data create-group \ --directory-id d-1234567890 \ --sam-account-name "your-group-name" \ --other-attributes '{ "DisplayName": { "S": "myGroupDisplayName"} "Description":{ "S": "myGroupDescription"} }' ``` ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that creates an AWS Managed Microsoft AD group with AWS Tools for PowerShell. When you create a new group, you must include your Directory ID number and a group name. You can also add other attributes, such as a group display name with the `DisplayName` attribute. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). **To create an AWS Managed Microsoft AD group with AWS Tools for PowerShell** + Open PowerShell, and run the following command, replacing the Directory ID, username and group display name with your AWS Managed Microsoft AD Directory ID, username, and desired group display name: ``` New-DSDGroup ` -DirectoryId d-1234567890 ` -SAMAccountName "your-group-name" ` -OtherAttribute @{ DisplayName = [Amazon.DirectoryServiceData.Model.AttributeValue]@{S = 'myGroupDisplayName' } Description = [Amazon.DirectoryServiceData.Model.AttributeValue]@{S = 'myGroupDescription' } } ``` ------ # Viewing and updating an AWS Managed Microsoft AD group's details Viewing and updating a group Use the following procedure to view or update an AWS Managed Microsoft AD group's details with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. ## Viewing an AWS Managed Microsoft AD group's detail Viewing a group's detail You can view or update a group's details in the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Creating an AWS Managed Microsoft AD group](ms_ad_create_group.md). ------ #### [ AWS Management Console ] You can view an AWS Managed Microsoft AD group's details in the AWS Management Console. **To view AWS Managed Microsoft AD group's details with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Group**. The tab shows a list of groups in your AWS Region. 1. Choose a group. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. The **Group details** screen shows the following information: + **Member** tab lists the users and child groups that are members of your group. + **Parent groups** tab lists the parent groups that your group is a member of. + **Properties** tab lists the group properties (such as primary information like group name, group display name, etc.). ------ #### [ AWS CLI ] You can view an AWS Managed Microsoft AD group's details with the AWS Directory Service Data CLI. **To view an AWS Managed Microsoft AD group's details with the AWS CLI** The following describes how to view an AWS Managed Microsoft AD group's details with the AWS CLI. + To view a group's details, open the AWS CLI, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: ``` aws ds-data describe-group --directory-id d-1234567890 --sam-account-name "your-group-name" ``` **To view an AWS Managed Microsoft AD group's group members with the AWS CLI** The following describes how to view an AWS Managed Microsoft AD group's members with the AWS CLI. + To view a group's details, open the AWS CLI, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: ``` aws ds-data list-group-members --directory-id d-1234567890 --sam-account-name "your-group-name" ``` ------ #### [ AWS Tools for PowerShell ] You can view an AWS Managed Microsoft AD group's details with AWS Tools for PowerShell. **To view an AWS Managed Microsoft AD group's details with AWS Tools for PowerShell** The following describes how to view an AWS Managed Microsoft AD group's details with the Tools for PowerShell. + To view a group's details, open the PowerShell, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: ``` Get-DSDGroup -DirectoryId d-1234567890 -SAMAccountName "your-group-name" ``` **To view an AWS Managed Microsoft AD group's group members with AWS Tools for PowerShell** The following describes how to view an AWS Managed Microsoft AD group's members with the Tools for PowerShell. + To view a group's details, open the PowerShell, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: ``` (Get-DSDGroupMemberList -DirectoryId d-1234567890 -SAMAccountName "your-group-name").Members ``` ------ ## Updating an AWS Managed Microsoft AD group's details Updating a group's details Use the following procedure to update an AWS Managed Microsoft AD group's details with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Creating an AWS Managed Microsoft AD group](ms_ad_create_group.md). ------ #### [ AWS Management Console ] You can update a group's details with the AWS Management Console. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md) **To update an AWS Managed Microsoft AD group's details with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Group**. The tab shows a list of groups in your AWS Region. 1. Choose a group. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. 1. To edit users and child groups that are members of your group, choose **Members**. From this tab, you can add and remove users and child groups from your group. For more information, see [Adding and removing members to groups and groups to groups](ms_ad_add_remove_user_group.md). 1. To edit parent groups that your group is a member of, choose **Parent groups**. From this tab, you can add and remove your group from parent groups. For more information, see [Adding and removing members to groups and groups to groups](ms_ad_add_remove_user_group.md). 1. To edit your group properties, choose **Properties**, and then choose **Edit**. Or choose **Actions**, and then choose **Edit group**. Make and review your updates, and then choose **Save**. ------ #### [ AWS CLI ] The following describes how to format a request that updates an AWS Managed Microsoft AD group's details with the AWS Directory Service Data CLI. When you update a group, you must include your directory ID number and group name. You also must include the update type and attribute you want to update in your request, such as a group email address with the `EmailAddress` parameter. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). + **To update an AWS Managed Microsoft AD group's details with the AWS CLI** To update a group's details, open the AWS CLI, and run the following command, replacing the Directory ID, group name, update type, and attribute with your AWS Managed Microsoft AD Directory ID, group name, and desired update type and attribute: ``` aws ds-data update-group --directory-id d-1234567890 --sam-account-name "your-group-name" --update-type "REPLACE" --group-scope "global" ``` ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that updates an AWS Managed Microsoft AD group's details with AWS Tools for PowerShell. When you update a group, you must include your directory ID number and group name. You also must include the update type and attribute you want to update in your request, such as a group email address with the `EmailAddress` parameter. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). + **To update an AWS Managed Microsoft AD group's details with AWS Tools for PowerShell** To update a group's details, open the PowerShell, and run the following command, replacing the Directory ID, group name, update type, and attribute with your AWS Managed Microsoft AD Directory ID, group name, and desired update type and attribute: ``` Update-DSDGroup -DirectoryId d-1234567890 -SAMAccountName "your-group-name" -UpdateType "REPLACE" -GroupScope "global" ``` ------ # Deleting an AWS Managed Microsoft AD group Deleting a group Use the following procedure to delete an AWS Managed Microsoft AD group with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. **Important** When you delete a group, all information about the group is removed, including any permissions that group members inherit. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md). ------ #### [ AWS Management Console ] You can delete an AWS Managed Microsoft AD group in the AWS Management Console. **To delete an AWS Managed Microsoft AD group with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Group**. The tab shows a list of groups in your AWS Region. 1. Choose the group that you want to delete. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. 1. Choose **Delete group**. A dialog box appears where you can choose **Confirm** to delete the group. ------ #### [ AWS CLI ] The following describes how to format a request that deletes an AWS Managed Microsoft AD group with the AWS Directory Service Data CLI. **To delete an AWS Managed Microsoft AD group with the AWS CLI** + Open the AWS CLI, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: ``` aws ds-data delete-group --directory-id d-1234567890 --sam-account-name "your-group-name" ``` ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that deletes an AWS Managed Microsoft AD group with the AWS Tools for PowerShell. **To delete an AWS Managed Microsoft AD group with the AWS Tools for PowerShell** + Open PowerShell, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: ``` Remove-DSDGroup -DirectoryId d-1234567890 -SAMAccountName "your-group-name" ``` ------ # Adding and removing AWS Managed Microsoft AD members to groups and groups to groups Adding and removing members to groups and groups to groups With the [AWS Directory Service Data API](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html), a member can be a user, group, or computer. A user represents a person or entity that can access your directory. Groups allow you to grant and deny permissions to more than one user at a time. Use the following procedures to add or remove an AWS Managed Microsoft AD user to a group or group to another group with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. ## Adding a user to a group Use the following procedure to add an AWS Managed Microsoft AD user to a group with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. **Important** When you add an AWS Managed Microsoft AD user to a group, the user inherits the roles and permissions assigned to the group. These roles and permissions are part of the user's group memberships. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Create an AWS Managed Microsoft AD user](ms_ad_create_user.md). + [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md). ------ #### [ AWS Management Console ] You can add an AWS Managed Microsoft AD member to a group with the AWS Management Console. **To add AWS Managed Microsoft AD user to a group with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Groups**. To find groups, enter the group name in the search box under the **Groups** section. The tab shows a list of groups in your AWS Region. 1. Choose a group. You're directed to the **Group details** screen. 1. Choose **Members**. The tab shows a list of users and child groups by member type in your group. 1. Under **Members** tab, Choose **Add member**. 1. Under **Members**, select the user you want to add to your group, and then choose **Add member to group**. To find members, enter the user logon name for users and group name for groups in the search box under the **Members** section. ------ #### [ AWS CLI ] The following describes how to format a request that adds an AWS Managed Microsoft AD member to a group with the AWS Directory Service Data CLI. **To add an AWS Managed Microsoft AD user to a group with the AWS CLI** + To add a user to a group, open the AWS CLI, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID and group and member names: ``` aws ds-data add-group-member --directory-id d-1234567890 --group-name "your-group-name" --member-name "jane.doe" ``` ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that adds an AWS Managed Microsoft AD member to a group with AWS Tools for PowerShell. **To add an AWS Managed Microsoft AD user to a group with AWS Tools for PowerShell** + To add a user to a group, open the PowerShell, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID and group and member names: ``` Add-DSDGroupMember -DirectoryId d-1234567890 -GroupName "your-group-name" -MemberName "jane.doe" ``` ------ ## Removing a user from a group With the [AWS Directory Service Data API](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html), a member can be a user, group, or computer. A user represents a person or entity that can access your directory. Groups allow you to grant and deny permissions to more than one user at a time. Use the following procedure to remove an AWS Managed Microsoft AD user to a group with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. **Important** When you remove an AWS Managed Microsoft AD user from a group, the user loses access to the roles and permissions assigned to the group. These roles and permissions are part of the group's memberships. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Create an AWS Managed Microsoft AD user](ms_ad_create_user.md). + [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md). ------ #### [ AWS Management Console ] You can remove an AWS Managed Microsoft AD member from a group with the AWS Management Console. **To remove an AWS Managed Microsoft AD user from a group with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Groups**. The tab shows a list of groups in your AWS Region. 1. Choose a group. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. 1. Choose **Members**. The tab shows a list of users and child groups by member type in your group. 1. Select the user you want to remove from your group, and then choose **Remove**. To find users, enter the user logon name in the search box under the **Members** section. 1. Confirm that you want to remove the user from your group, and then choose **Remove** again. ------ #### [ AWS CLI ] The following describes how to format a request that removes an AWS Managed Microsoft AD member from a group with the AWS Directory Service Data CLI. **To remove an AWS Managed Microsoft AD user from a group with AWS CLI** + To remove a user to a group, open the AWS CLI, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: ``` aws ds-data remove-group-member --directory-id d-1234567890 --group-name "your-group-name" --member-name "jane.doe" ``` ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that removes an AWS Managed Microsoft AD member from a group with AWS Tools for PowerShell. **To remove an AWS Managed Microsoft AD user from a group with AWS Tools for PowerShell** + To remove a user to a group, open the PowerShell, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: ``` Remove-DSDGroupMember -DirectoryId d-1234567890 -GroupName "your-group-name" -MemberName "jane.doe" ``` ------ ## Adding a group to a group When you add an AWS Managed Microsoft AD group to another group, the groups share a parent-child relationship. The child group gains access to the roles and permissions that are assigned to the parent group. You can add a child group to your group and your group to a parent group. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md). ------ #### [ AWS Management Console ] You can add an AWS Managed Microsoft AD group to a group with the AWS Management Console. **To add a child group to your group with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Groups**. The tab shows a list of groups in your AWS Region. 1. Choose a group. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. 1. Choose **Members**. The tab shows a list of users and child groups by member type in your group. 1. Choose **Add member**. 1. Under **Members**, select the child group(s) you want to add to your group, and then choose **Add member to group**. **To add a parent group to a group with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Groups**. The tab shows a list of groups in your AWS Region. 1. Choose a group. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. 1. Choose **Parent groups**. The tab shows a list of groups that your group is a member of. 1. Choose **Add parent groups**. 1. Under **Groups**, select the group(s) you want to add your group to, and then choose **Add parent groups** again. ------ #### [ AWS CLI ] The following describes how to format a request that adds an AWS Managed Microsoft AD group to a group with the AWS Directory Service Data CLI. **To add a child group to your group with the AWS CLI** + To add a child group to a parent group, open the AWS CLI, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: ``` aws ds-data add-group-member --directory-id d-1234567890 --group-name "parent-group-name" --member-name "child-group-name" ``` ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that adds an AWS Managed Microsoft AD group to a group with AWS Tools for PowerShell. **To add a child group to your group with AWS Tools for PowerShell** + To add a child group to a parent group, open the PowerShell, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: ``` Add-DSDGroupMember -DirectoryId d-1234567890 -GroupName "parent-group-name" -MemberName "child-group-name" ``` ------ ## Removing a group from a group When you remove an AWS Managed Microsoft AD group from another group, the groups no longer share a parent-child relationship. The child group loses access to the roles and permissions that are assigned to the parent group. You can remove a child group from your group and your group from a parent group. **Before you begin either procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md). ------ #### [ AWS Management Console ] You can remove an AWS Managed Microsoft AD group to a group with the AWS Management Console. **To remove a child group from your group with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Groups**. The tab shows a list of groups in your AWS Region. 1. Choose a group. You're directed to the **Group details** screen. To find groups, enter the group name in the search box under the **Groups** section. 1. Choose **Members**. The tab shows a list of users and child groups by member type in your group. 1. Select the child group(s) you want to remove from your group, and then choose **Remove**. 1. Confirm the child group(s) you want to remove from your group, and then choose **Remove** again. **To remove your group from a parent group with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Groups**. The tab shows a list of groups in your AWS Region. 1. Choose a group. You're directed to the **Group details** screen. To find groups, enter the group name in the search box under the **Groups** section. 1. Choose **Parent groups**. The tab shows a list of groups that your group is a member of. 1. Select the parent group you want to remove your group from, and then choose **Remove parent groups**. 1. Confirm the parent group you want to remove your group from, and then choose **Remove parent groups** again. ------ #### [ AWS CLI ] The following describes how to format a request that removes an AWS Managed Microsoft AD group to a group with the AWS Directory Service Data CLI. + **To remove a child group from a parent group with the AWS CLI** To add remove a child group from a parent group, open the AWS CLI, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: ``` aws ds-data remove-group-member --directory-id d-1234567890 --group-name "parent-group-name" --member-name "child-group-name" ``` ------ #### [ AWS Tools for PowerShell ] The following describes how to format a request that removes an AWS Managed Microsoft AD group to a group with AWS Tools for PowerShell. + **To remove a child group from a parent group with AWS Tools for PowerShell** To add remove a child group from a parent group, open the PowerShell, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: ``` Remove-DSDGroupMember -DirectoryId d-1234567890 -GroupName "parent-group-name" -MemberName "child-group-name" ``` ------ # Copying an AWS Managed Microsoft AD group memberships in the AWS Management Console Copying a group memberships in the console You can copy group memberships from one AWS Managed Microsoft AD user into another user in the AWS Management Console. Group memberships are the roles and permissions that a user inherits when you add them to a group. **Before you begin this procedure, you need to complete the following:** + [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md). + You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html). + You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies). + [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md). **To copy AWS Managed Microsoft AD group memberships with the AWS Management Console** 1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/). 1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 1. Choose a directory. You're directed to the **Directory details** screen. 1. Choose **Groups**. The tab shows a list of groups in your AWS Region. 1. Choose the user whose account you want to copy their group membership. To find a user, enter the user logon name in the search box under the **Users** section. You're directed to the **User details** screen. 1. Choose **Copy all group memberships**. You're directed to a procedure where you can specify which groups you want to copy. 1. For **Verify groups to copy**, under **Groups to copy**, select the groups with roles and permissions you want to copy, and then choose **Next**. 1. For **Select destination account**, under **Account type**, choose **Existing user account** to copy group memberships into an existing user account. Alternatively, choose **New user account** to create a new user and copy group memberships into the new user account. To find a group, enter the group's name in the search box under the **Selected groups** section. 1. *(Optional)* If you choose **Existing user account**, select destination accounts where you want to copy the roles and permissions into, and then choose **Next**. 1. *(Optional)* If you choose **New user account**, complete the procedure, and then choose **Next**. For information about creating a user, see [Creating a user](ms_ad_create_user.md). 1. For **Review and copy group memberships**, review your choices, and then choose **Copy group membership**. # Manage users and groups with an Amazon EC2 instance This section includes procedures for managing users and groups with an Amazon EC2 instance that's joined to your AWS Managed Microsoft AD. We recommend managing users and groups with an Amazon EC2 instance if the Directory Service Data API doesn't support your use case. For more information, see the [AWS Directory Service Data API Reference](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html). **Note** Before you complete any of the procedures in the following topics, you must install the Active Directory administration tools. For more information, see [Install the Active Directory administration tools](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_install_ad_tools.html). **Topics** + [ # Installing Active Directory Administration Tools for AWS Managed Microsoft AD ](ms_ad_install_ad_tools.md) + [ # Creating an AWS Managed Microsoft AD user ](ms_ad_manage_users_groups_create_user.md) + [ # Delete a user's account with an Amazon EC2 instance ](ms_ad_manage_users_groups_delete_user.md) + [ # Resetting an AWS Managed Microsoft AD user password ](ms_ad_manage_users_groups_reset_password.md) + [ # Creating an AWS Managed Microsoft AD group ](ms_ad_manage_users_groups_create_group.md) + [ # Adding an AWS Managed Microsoft AD user to a group ](ms_ad_manage_users_groups_add_user_to_group.md) # Installing Active Directory Administration Tools for AWS Managed Microsoft AD Installing AD Administration Tools You can manage your AWS Managed Microsoft AD Active Directory using Active Directory Domain Services and Active Directory Lightweight Directory Services Tools. To use Active Directory Domain Services and Active Directory Lightweight Directory Services Tools, you will need to install them. The following procedures walks you through how you can install these tools on an Amazon EC2 Windows Server instance or with a PowerShell command. Alternatively, you can launch a directory administration EC2 instance which already has these tools installed. ------ #### [ EC2 Windows Server instance ] Before you can begin this procedure, complete the following: 1. Create an AWS Managed Microsoft AD Active Directory. For more information, see [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). 1. Launch and join an EC2 Windows Server instance to your AWS Managed Microsoft AD Active Directory. The EC2 instance needs the following policies to create users and groups: **AmazonSSMManagedInstanceCore** and **AmazonSSMDirectoryServiceAccess**. For more information, see [Launching a directory administration instance in your AWS Managed Microsoft AD Active Directory](console_instance.md) and [Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory](launching_instance.md). 1. You will need the credentials for your Active Directory domain Administrator. These credentials were created when the AWS Managed Microsoft AD was created. If you followed the procedure in [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory), your Administrator username includes your NetBIOS name, **corp\$1admin**. **Installing Active Directory administration tools on a EC2 Windows Server instance** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the Amazon EC2 console, choose **Instances**, select the Windows Server instance, and then choose **Connect**. 1. In the **Connect to instance** page, choose **RDP client**. 1. In the **RDP client** tab, choose **Download Remote Desktop File**, then choose **Get Password** to retrieve your password. 1. In the **Get Windows password**, choose **Upload private key file**. Choose the .pem private key file associated with the Windows Server instance. After uploading the private key file, select **Decrypt password**. 1. In the **Windows Security** dialog box, copy your local administrator credentials for the Windows Server computer to sign in. The username can be in the following formats: ***NetBIOS-Name*\$1admin** or ***DNS-Name*\$1admin**. For example, **corp\$1admin** would be the username if you followed the procedure in [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). 1. Once signed in to the Windows Server instance, open **Server Manager** from the Start menu by choosing **Server Manager**. 1. In the **Server Manager Dashboard**, choose **Add roles and features**. 1. In the **Add Roles and Features Wizard** choose **Installation Type**, select **Role-based or feature-based installation**, and choose **Next**. 1. Under **Server Selection**, make sure the local server is selected, and choose **Features** in the left navigation pane. 1. In the **Features** tree, select and open **Remote Server Administration Tools**, **Role Administration Tools**, and **AD DS and AD LDS Tools**. With **AD DS and AD LDS Tools** selected, **Active Directory module for PowerShell**, **AD DS Tools**, and **AD LDS Snap-ins and Command-Line Tools** are selected. Scroll down and select **DNS Server Tools**, and then choose **Next**. ![\[Installing Microsoft AD Tools, the Add Roles and Features Wizard Features Tree with tools selected.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/ms-install-ad-tools.png) 1. Review the information and choose **Install**. When the feature installation is finished, the Active Directory Domain Services and Active Directory Lightweight Directory Services Tools are available from the Start menu in the **Administrative Tools** folder. ------ #### [ PowerShell ] You can install the Active Directory Administration Tools using PowerShell. For example, you can install the Active Directory remote administration tools from a PowerShell prompt using `Install-WindowsFeature RSAT-ADDS`. For more information, see [Install-WindowsFeature](https://docs.microsoft.com/en-us/powershell/module/servermanager/install-windowsfeature?view=winserver2012r2-ps) on the Microsoft website. ------ #### [ Directory administration instance ] You can launch a directory administration EC2 instance in the AWS Management Console that already has the Active Directory Domain Services and Active Directory Lightweight Directory Services Tools installed by following the procedures in [Launching a directory administration instance in your AWS Managed Microsoft AD Active Directory](console_instance.md). ------ # Creating an AWS Managed Microsoft AD user Creating a user You can create AWS Managed Microsoft AD users with the Active Directory Administration Tools and PowerShell. Before you can create user with the Active Directory Administration Tools, you will need to complete the procedure in [Installing Active Directory Administration Tools for AWS Managed Microsoft AD](ms_ad_install_ad_tools.md). ------ #### [ Active Directory Administration Tools ] Use the following procedure to create an AWS Managed Microsoft AD user with Active Directory Administration Tools. 1. Connect to the instance where the Active Directory Administration Tools were installed. 1. Open the Active Directory Users and Computers tool from the Windows Start menu. There is a shortcut to this tool found in the **Windows Administrative Tools** folder. **Tip** You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly. ``` %SystemRoot%\system32\dsa.msc ``` 1. In the directory tree, select an OU under your directory's NetBIOS name OU where you want to store your user (for example, **corp\$1Users**). For more information about the OU structure used by directories in AWS, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md). ![\[Active Directory Users and Computers tool showing example OU structure.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/create-security-groups-OU.png) 1. On the **Action** menu, choose **New**, and then choose **User** to open the new user wizard. 1. On the first page of the wizard, enter the values for the following fields, and then choose **Next**. + **First name** + **Last name** + **User logon name** 1. On the second page of the wizard, enter a temporary password in **Password** and **Confirm Password**. Make sure the **User must change password at next logon** option is selected. None of the other options should be selected. Choose **Next**. 1. On the third page of the wizard, verify that the new user information is correct and choose **Finish**. The new user will appear in the **Users** folder. ------ #### [ PowerShell ] Use the following procedure to create an AWS Managed Microsoft AD user with PowerShell. 1. Connect to the instance joined to your Active Directory domain as the Active Directory administrator. 1. Open PowerShell. 1. Type the following command replacing the username **jane.doe** with the username of the user you want to create. You will be prompted by PowerShell to provide a password for the new user. For more information on Active Directory password complexity requirements, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements). For more information on the New-ADUser command, see [Microsoft documentation](https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-aduser?view=windowsserver2022-ps). ``` New-ADUser -Name "jane.doe" -Enabled $true -AccountPassword (Read-Host -AsSecureString 'Password') ``` ------ # Delete a user's account with an Amazon EC2 instance You can use the following procedure to delete a user with an Amazon EC2 instance that's joined to your AWS Managed Microsoft AD. **Note** Before you complete this procedure, you must install the Active Directory administration tools. For more information, see [Install the Active Directory administration tools](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_install_ad_tools.html). **To delete a user** 1. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the **Windows Administrative Tools** folder. **Tip** You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly. ``` %SystemRoot%\system32\dsa.msc ``` 1. In the directory tree, select the OU containing the user that you want to delete (for example, Corp\$1Users). 1. Select the user you wish to delete. On the **Action** menu, choose **Delete**. 1. A dialog box will appear prompting you to confirm you want to delete the user. Choose **Yes** to delete the user. Deleted users are stored temporarily in the AD Recycle Bin. For more information about the AD Recycle Bin, see [The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-ad-recycle-bin-understanding-implementing-best-practices-and/ba-p/396944) in Microsoft's Ask the Directory Services Team blog. # Resetting an AWS Managed Microsoft AD user password Resetting a user password Users must adhere to password policies as defined in the Active Directory. Sometimes this can get the best of users, including the Active Directory administrator, and they forget their password. When this happens, you can quickly reset the user's password using Directory Service if the user resides AWS Managed Microsoft AD. You must be signed in as a user with the necessary permissions to reset passwords. For more information about permissions, see [Overview of managing access permissions to your Directory Service resources](IAM_Auth_Access_Overview.md). You can reset the password for any user in your Active Directory with the following exceptions: + You can reset the password for any user within the Organizational Unit (OU) that is based off of the NetBIOS name you used when you created your Active Directory. For example, if you followed the procedure in [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory) your NetBIOS name would be CORP and the users passwords you could reset would be members of Corp/Users OU. + You cannot reset the password of any user outside of the OU that is based off the NetBIOS name you used when you created your Active Directory. For example, you cannot reset the password for a user in **AWS Reserved OU**. For more information about the OU structure for AWS Managed Microsoft AD, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md). For more information on how the password policies are applied when a password is reset in AWS Managed Microsoft AD, see [How password policies are applied](ms_ad_password_policies.md#how_password_policies_applied). **You can use any of the following tools to reset an AWS Managed Microsoft AD user password:** + AWS Management Console + AWS CLI + PowerShell ------ #### [ AWS Management Console ] Use the following procedure to reset an AWS Managed Microsoft AD user password with the AWS Management Console. 1. In the [Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, under **Active Directory**, choose **Directories**, and then select the Active Directory in the list where you want to reset a user password. 1. On the **Directory details** page, choose **Actions**, and then choose **Reset user password**. 1. In the **Reset user password** dialog, in **Username** type the username of the user whose password needs to change. 1. Type a password in **New password** and **Confirm password**, and then choose **Reset password**. ------ #### [ AWS CLI ] Use the following procedure to reset an AWS Managed Microsoft AD user password with the AWS CLI. 1. To install the AWS CLI, see [Install or update the latest version of the AWS CLI](https://docs.aws.amazon.com//cli/latest/userguide/getting-started-install.html). 1. Open the AWS CLI. 1. Type the following command and replace the Directory ID, username **jane.doe**, and password **P@ssw0rd** with your Active Directory Directory ID and desired credentials. See [reset-user-password](https://docs.aws.amazon.com/cli/latest/reference/ds/reset-user-password.html) in the *AWS CLI Command Reference* for more information. ``` aws ds reset-user-password --directory-id d-1234567890 --user-name "jane.doe" --new-password "P@ssw0rd" ``` ------ #### [ PowerShell ] Use the following procedure to reset an AWS Managed Microsoft AD user password with the PowerShell. 1. Connect to the instance joined to your Active Directory domain as the Active Directory administrator. 1. Open PowerShell. 1. Type the following command replacing the username **jane.doe**, the Directory ID, and password **P@ssw0rd** with your Active Directory Directory ID and desired credentials. See [Reset-DSUserPassword Cmdlet](https://docs.aws.amazon.com/powershell/latest/reference/items/Reset-DSUserPassword.html) for more information. ``` Reset-DSUserPassword -UserName "jane.doe" -DirectoryId d-1234567890 -NewPassword "P@ssw0rd" ``` ------ # Creating an AWS Managed Microsoft AD group Creating a group You can create groups in your AWS Managed Microsoft AD. Use the following procedure to create a security group with an Amazon EC2 instance that is joined to your AWS Managed Microsoft AD directory. Before you can create security groups, you need to complete the procedures in [Installing the Active Directory Administration Tools](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_install_ad_tools.html). ------ #### [ Active Directory Administration Tools ] Use the following procedures to create an AWS Managed Microsoft AD group with Active Directory Administration Tools. **To create a group** 1. Connect to the instance where the Active Directory Administration Tools were installed. 1. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the **Administrative Tools** folder. **Tip** You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly. ``` %SystemRoot%\system32\dsa.msc ``` 1. In the directory tree, select an OU under your directory's NetBIOS name OU where you want to store your group (for example, Corp\$1Users). For more information about the OU structure used by directories in AWS, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md). ![\[Active Directory Users and Computers tool showing example OU structure.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/create-security-groups-OU.png) 1. On the **Action** menu, click **New**, and then click **Group** to open the new group wizard. 1. Type a name for the group in **Group name**, select a **Group scope** that meets your needs, and select **Security** for the **Group type**. For more information on Active Directory group scope and security groups, see [ Active Directory security groups](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups) in Microsoft Windows Server documentation. 1. Click **OK**. The new security group will appear in the **Users** folder. ------ #### [ PowerShell ] You can use PowerShell commands to create groups. For more information, see [New-ADGroup](https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-adgroup?view=windowsserver2022-ps) in Windows Server 2022 PowerShell documentation. ------ # Adding an AWS Managed Microsoft AD user to a group Adding a user to a group You can add AWS Managed Microsoft AD users to a group. Use the following procedure to add a user to a security group with an Amazon EC2 instance that is joined to your AWS Managed Microsoft AD directory. ------ #### [ Active Directory Administration Tools ] **To add a user to a group** 1. Connect to the instance where the Active Directory Administration Tools were installed. 1. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the **Administrative Tools** folder. **Tip** You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly. ``` %SystemRoot%\system32\dsa.msc ``` 1. In the directory tree, select the OU under your directory's NetBIOS name OU where you stored your group, and select the group that you want to add a user as a member. ![\[Active Directory Users and Computers tool showing example OU structure.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/create-security-groups-OU.png) 1. On the **Action** menu, click **Properties** to open the properties dialog box for the group. 1. Select the **Members** tab and click **Add**. 1. For **Enter the object names to select**, type the username you want to add and click **OK**. The name will be displayed in the **Members** list. Click **OK** again to update the group membership. 1. Verify that the user is now a member of the group by selecting the user in the **Users** folder and clicking **Properties** in the **Action** menu to open the properties dialog box. Select the **Member Of** tab. You should see the name of the group in the list of groups that the user belongs to. ------