# Manage users and groups with an Amazon EC2 instance
<a name="ms_ad_manage_users_groups_ec2"></a>

 This section includes procedures for managing users and groups with an Amazon EC2 instance that's joined to your AWS Managed Microsoft AD. 

 We recommend managing users and groups with an Amazon EC2 instance if the Directory Service Data API doesn't support your use case. For more information, see the [AWS Directory Service Data API Reference](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html). 

**Note**  
 Before you complete any of the procedures in the following topics, you must install the Active Directory administration tools. For more information, see [Install the Active Directory administration tools](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_install_ad_tools.html). 

**Topics**
+ [Installing Active Directory Administration Tools for AWS Managed Microsoft AD](ms_ad_install_ad_tools.md)
+ [Creating an AWS Managed Microsoft AD user](ms_ad_manage_users_groups_create_user.md)
+ [Delete a user's account with an Amazon EC2 instance](ms_ad_manage_users_groups_delete_user.md)
+ [Resetting an AWS Managed Microsoft AD user password](ms_ad_manage_users_groups_reset_password.md)
+ [Creating an AWS Managed Microsoft AD group](ms_ad_manage_users_groups_create_group.md)
+ [Adding an AWS Managed Microsoft AD user to a group](ms_ad_manage_users_groups_add_user_to_group.md)

# Installing Active Directory Administration Tools for AWS Managed Microsoft AD
<a name="ms_ad_install_ad_tools"></a>

You can manage your AWS Managed Microsoft AD Active Directory using Active Directory Domain Services and Active Directory Lightweight Directory Services Tools. To use Active Directory Domain Services and Active Directory Lightweight Directory Services Tools, you will need to install them. The following procedures walks you through how you can install these tools on an Amazon EC2 Windows Server instance or with a PowerShell command. Alternatively, you can launch a directory administration EC2 instance which already has these tools installed.

------
#### [ EC2 Windows Server instance ]

Before you can begin this procedure, complete the following:

1. Create an AWS Managed Microsoft AD Active Directory. For more information, see [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).

1. Launch and join an EC2 Windows Server instance to your AWS Managed Microsoft AD Active Directory. The EC2 instance needs the following policies to create users and groups: **AmazonSSMManagedInstanceCore** and **AmazonSSMDirectoryServiceAccess**. For more information, see [Launching a directory administration instance in your AWS Managed Microsoft AD Active Directory](console_instance.md) and [Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory](launching_instance.md).

1. You will need the credentials for your Active Directory domain Administrator. These credentials were created when the AWS Managed Microsoft AD was created. If you followed the procedure in [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory), your Administrator username includes your NetBIOS name, **corp\$1admin**.

**Installing Active Directory administration tools on a EC2 Windows Server instance**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the Amazon EC2 console, choose **Instances**, select the Windows Server instance, and then choose **Connect**.

1. In the **Connect to instance** page, choose **RDP client**.

1. In the **RDP client** tab, choose **Download Remote Desktop File**, then choose **Get Password** to retrieve your password.

1. In the **Get Windows password**, choose **Upload private key file**. Choose the .pem private key file associated with the Windows Server instance. After uploading the private key file, select **Decrypt password**.

1. In the **Windows Security** dialog box, copy your local administrator credentials for the Windows Server computer to sign in. The username can be in the following formats: ***NetBIOS-Name*\$1admin** or ***DNS-Name*\$1admin**. For example, **corp\$1admin** would be the username if you followed the procedure in [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).

1. Once signed in to the Windows Server instance, open **Server Manager** from the Start menu by choosing **Server Manager**.

1. In the **Server Manager Dashboard**, choose **Add roles and features**.

1. In the **Add Roles and Features Wizard** choose **Installation Type**, select **Role-based or feature-based installation**, and choose **Next**.

1. Under **Server Selection**, make sure the local server is selected, and choose **Features** in the left navigation pane.

1. In the **Features** tree, select and open **Remote Server Administration Tools**, **Role Administration Tools**, and **AD DS and AD LDS Tools**. With **AD DS and AD LDS Tools** selected, **Active Directory module for PowerShell**, **AD DS Tools**, and **AD LDS Snap-ins and Command-Line Tools** are selected. Scroll down and select **DNS Server Tools**, and then choose **Next**.  
![\[Installing Microsoft AD Tools, the Add Roles and Features Wizard Features Tree with tools selected.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/ms-install-ad-tools.png)

1. Review the information and choose **Install**. When the feature installation is finished, the Active Directory Domain Services and Active Directory Lightweight Directory Services Tools are available from the Start menu in the **Administrative Tools** folder.

------
#### [ PowerShell ]

You can install the Active Directory Administration Tools using PowerShell. For example, you can install the Active Directory remote administration tools from a PowerShell prompt using `Install-WindowsFeature RSAT-ADDS`. For more information, see [Install-WindowsFeature](https://docs.microsoft.com/en-us/powershell/module/servermanager/install-windowsfeature?view=winserver2012r2-ps) on the Microsoft website.

------
#### [ Directory administration instance  ]

You can launch a directory administration EC2 instance in the AWS Management Console that already has the Active Directory Domain Services and Active Directory Lightweight Directory Services Tools installed by following the procedures in [Launching a directory administration instance in your AWS Managed Microsoft AD Active Directory](console_instance.md).

------

# Creating an AWS Managed Microsoft AD user
<a name="ms_ad_manage_users_groups_create_user"></a>

You can create AWS Managed Microsoft AD users with the Active Directory Administration Tools and PowerShell. Before you can create user with the Active Directory Administration Tools, you will need to complete the procedure in [Installing Active Directory Administration Tools for AWS Managed Microsoft AD](ms_ad_install_ad_tools.md).

------
#### [ Active Directory Administration Tools ]

Use the following procedure to create an AWS Managed Microsoft AD user with Active Directory Administration Tools.

1. Connect to the instance where the Active Directory Administration Tools were installed.

1. Open the Active Directory Users and Computers tool from the Windows Start menu. There is a shortcut to this tool found in the **Windows Administrative Tools** folder.
**Tip**  
You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly.  

   ```
   %SystemRoot%\system32\dsa.msc
   ```

1. In the directory tree, select an OU under your directory's NetBIOS name OU where you want to store your user (for example, **corp\$1Users**). For more information about the OU structure used by directories in AWS, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md).  
![\[Active Directory Users and Computers tool showing example OU structure.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/create-security-groups-OU.png)

1. On the **Action** menu, choose **New**, and then choose **User** to open the new user wizard.

1. On the first page of the wizard, enter the values for the following fields, and then choose **Next**.
   + **First name**
   + **Last name**
   + **User logon name**

1. On the second page of the wizard, enter a temporary password in **Password** and **Confirm Password**. Make sure the **User must change password at next logon** option is selected. None of the other options should be selected. Choose **Next**.

1. On the third page of the wizard, verify that the new user information is correct and choose **Finish**. The new user will appear in the **Users** folder.

------
#### [ PowerShell ]

Use the following procedure to create an AWS Managed Microsoft AD user with PowerShell.

1. Connect to the instance joined to your Active Directory domain as the Active Directory administrator.

1. Open PowerShell.

1. Type the following command replacing the username **jane.doe** with the username of the user you want to create. You will be prompted by PowerShell to provide a password for the new user. For more information on Active Directory password complexity requirements, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements). For more information on the New-ADUser command, see [Microsoft documentation](https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-aduser?view=windowsserver2022-ps).

```
New-ADUser -Name "jane.doe" -Enabled $true -AccountPassword (Read-Host -AsSecureString 'Password')
```

------

# Delete a user's account with an Amazon EC2 instance
<a name="ms_ad_manage_users_groups_delete_user"></a>

 You can use the following procedure to delete a user with an Amazon EC2 instance that's joined to your AWS Managed Microsoft AD. 

**Note**  
 Before you complete this procedure, you must install the Active Directory administration tools. For more information, see [Install the Active Directory administration tools](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_install_ad_tools.html). 

**To delete a user**

1. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the **Windows Administrative Tools** folder.
**Tip**  
You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly.  

   ```
   %SystemRoot%\system32\dsa.msc
   ```

1. In the directory tree, select the OU containing the user that you want to delete (for example, Corp\$1Users).

1. Select the user you wish to delete. On the **Action** menu, choose **Delete**.

1. A dialog box will appear prompting you to confirm you want to delete the user. Choose **Yes** to delete the user.

Deleted users are stored temporarily in the AD Recycle Bin. For more information about the AD Recycle Bin, see [The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-ad-recycle-bin-understanding-implementing-best-practices-and/ba-p/396944) in Microsoft's Ask the Directory Services Team blog.

# Resetting an AWS Managed Microsoft AD user password
<a name="ms_ad_manage_users_groups_reset_password"></a>

Users must adhere to password policies as defined in the Active Directory. Sometimes this can get the best of users, including the Active Directory administrator, and they forget their password. When this happens, you can quickly reset the user's password using Directory Service if the user resides AWS Managed Microsoft AD.

You must be signed in as a user with the necessary permissions to reset passwords. For more information about permissions, see [Overview of managing access permissions to your Directory Service resources](IAM_Auth_Access_Overview.md).

You can reset the password for any user in your Active Directory with the following exceptions:
+ You can reset the password for any user within the Organizational Unit (OU) that is based off of the NetBIOS name you used when you created your Active Directory. For example, if you followed the procedure in [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory) your NetBIOS name would be CORP and the users passwords you could reset would be members of Corp/Users OU.
+ You cannot reset the password of any user outside of the OU that is based off the NetBIOS name you used when you created your Active Directory. For example, you cannot reset the password for a user in **AWS Reserved OU**. For more information about the OU structure for AWS Managed Microsoft AD, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md). 

For more information on how the password policies are applied when a password is reset in AWS Managed Microsoft AD, see [How password policies are applied](ms_ad_password_policies.md#how_password_policies_applied).

**You can use any of the following tools to reset an AWS Managed Microsoft AD user password:**
+ AWS Management Console
+ AWS CLI
+ PowerShell

------
#### [ AWS Management Console ]

Use the following procedure to reset an AWS Managed Microsoft AD user password with the AWS Management Console.

1. In the [Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, under **Active Directory**, choose **Directories**, and then select the Active Directory in the list where you want to reset a user password.

1. On the **Directory details** page, choose **Actions**, and then choose **Reset user password**.

1. In the **Reset user password** dialog, in **Username** type the username of the user whose password needs to change.

1. Type a password in **New password** and **Confirm password**, and then choose **Reset password**.

------
#### [ AWS CLI ]

Use the following procedure to reset an AWS Managed Microsoft AD user password with the AWS CLI.

1. To install the AWS CLI, see [Install or update the latest version of the AWS CLI](https://docs.aws.amazon.com//cli/latest/userguide/getting-started-install.html).

1. Open the AWS CLI.

1. Type the following command and replace the Directory ID, username **jane.doe**, and password **P@ssw0rd** with your Active Directory Directory ID and desired credentials. See [reset-user-password](https://docs.aws.amazon.com/cli/latest/reference/ds/reset-user-password.html) in the *AWS CLI Command Reference* for more information.

```
aws ds reset-user-password --directory-id d-1234567890 --user-name "jane.doe" --new-password "P@ssw0rd"
```

------
#### [ PowerShell ]

Use the following procedure to reset an AWS Managed Microsoft AD user password with the PowerShell.

1. Connect to the instance joined to your Active Directory domain as the Active Directory administrator.

1. Open PowerShell.

1. Type the following command replacing the username **jane.doe**, the Directory ID, and password **P@ssw0rd** with your Active Directory Directory ID and desired credentials. See [Reset-DSUserPassword Cmdlet](https://docs.aws.amazon.com/powershell/latest/reference/items/Reset-DSUserPassword.html) for more information.

```
Reset-DSUserPassword -UserName "jane.doe" -DirectoryId d-1234567890 -NewPassword "P@ssw0rd"
```

------

# Creating an AWS Managed Microsoft AD group
<a name="ms_ad_manage_users_groups_create_group"></a>

You can create groups in your AWS Managed Microsoft AD. Use the following procedure to create a security group with an Amazon EC2 instance that is joined to your AWS Managed Microsoft AD directory. Before you can create security groups, you need to complete the procedures in [Installing the Active Directory Administration Tools](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_install_ad_tools.html).

------
#### [ Active Directory Administration Tools ]

Use the following procedures to create an AWS Managed Microsoft AD group with Active Directory Administration Tools.

**To create a group**

1. Connect to the instance where the Active Directory Administration Tools were installed.

1. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the **Administrative Tools** folder.
**Tip**  
You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly.  

   ```
   %SystemRoot%\system32\dsa.msc
   ```

1. In the directory tree, select an OU under your directory's NetBIOS name OU where you want to store your group (for example, Corp\$1Users). For more information about the OU structure used by directories in AWS, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md).  
![\[Active Directory Users and Computers tool showing example OU structure.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/create-security-groups-OU.png)

1. On the **Action** menu, click **New**, and then click **Group** to open the new group wizard.

1. Type a name for the group in **Group name**, select a **Group scope** that meets your needs, and select **Security** for the **Group type**. For more information on Active Directory group scope and security groups, see [ Active Directory security groups](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups) in Microsoft Windows Server documentation.

1. Click **OK**. The new security group will appear in the **Users** folder.

------
#### [ PowerShell ]

You can use PowerShell commands to create groups. For more information, see [New-ADGroup](https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-adgroup?view=windowsserver2022-ps) in Windows Server 2022 PowerShell documentation.

------

# Adding an AWS Managed Microsoft AD user to a group
<a name="ms_ad_manage_users_groups_add_user_to_group"></a>

You can add AWS Managed Microsoft AD users to a group. Use the following procedure to add a user to a security group with an Amazon EC2 instance that is joined to your AWS Managed Microsoft AD directory.

------
#### [ Active Directory Administration Tools ]

**To add a user to a group**

1. Connect to the instance where the Active Directory Administration Tools were installed.

1. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the **Administrative Tools** folder.
**Tip**  
You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly.  

   ```
   %SystemRoot%\system32\dsa.msc
   ```

1. In the directory tree, select the OU under your directory's NetBIOS name OU where you stored your group, and select the group that you want to add a user as a member.  
![\[Active Directory Users and Computers tool showing example OU structure.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/create-security-groups-OU.png)

1. On the **Action** menu, click **Properties** to open the properties dialog box for the group.

1. Select the **Members** tab and click **Add**.

1. For **Enter the object names to select**, type the username you want to add and click **OK**. The name will be displayed in the **Members** list. Click **OK** again to update the group membership.

1. Verify that the user is now a member of the group by selecting the user in the **Users** folder and clicking **Properties** in the **Action** menu to open the properties dialog box. Select the **Member Of** tab. You should see the name of the group in the list of groups that the user belongs to.

------