# Manage AWS Managed Microsoft AD users and groups with the AWS Management Console, AWS CLI, or AWS Tools for PowerShell
<a name="ms_ad_manage_users_groups_procedures"></a>

You can use the AWS Management Console, AWS CLI, or AWS Tools for PowerShell to manage your AWS Managed Microsoft AD users and groups with [AWS Directory Service Data](ms_ad_getting_started_directory_service_data.md). The AWS Directory Service Data CLI uses the `ds-data` namespace. For more information on the AWS CLI, see [ Getting started with AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). For more information on AWS Tools for PowerShell, see [AWS Tools for PowerShell User Guide](https://docs.aws.amazon.com//powershell/latest/userguide/pstools-welcome.html).

See the following procedures for more information on creating, viewing, updating, and deleting AWS Managed Microsoft AD users and groups.

**Topics**
+ [Enabling or disabling user and group management or AWS Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md)
+ [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md)
+ [Viewing and updating an AWS Managed Microsoft AD user](ms_ad_view_update_user.md)
+ [Deleting an AWS Managed Microsoft AD user](ms_ad_delete_user.md)
+ [Disabling an AWS Managed Microsoft AD user](ms_ad_disable_user.md)
+ [Resetting and enabling an AWS Managed Microsoft AD user's password](ms_ad_reset_user_pswd.md)
+ [Creating an AWS Managed Microsoft AD group](ms_ad_create_group.md)
+ [Viewing and updating an AWS Managed Microsoft AD group's details](ms_ad_view_update_group.md)
+ [Deleting an AWS Managed Microsoft AD group](ms_ad_delete_group.md)
+ [Adding and removing AWS Managed Microsoft AD members to groups and groups to groups](ms_ad_add_remove_user_group.md)
+ [Copying an AWS Managed Microsoft AD group memberships in the AWS Management Console](copy_group_membership.md)

# Enabling or disabling user and group management or AWS Directory Service Data
<a name="ms_ad_users_groups_mgmt_enable_disable"></a>

To use user and group management or AWS Directory Service Data, it must be enabled. Once enabled, you can manage users and groups from the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

**Important**  
 You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
 For a list of regions that support AWS Directory Service Data, see [Supported AWS Regions for Directory Service Data](regions.md#regions_directory_service_data).
Access controls for AWS Directory Service Data are different than access controls for AWS services like Amazon WorkSpaces, Amazon Quick, and Amazon WorkMail. For more information, see [AWS application authorization with Directory Service Data](ad_manage_apps_services_authorization.md#ad_manage_apps_services_authorization_ADSD).

## Enabling AWS Directory Service Data
<a name="ms_ad_user_group_mgmt_enable"></a>

Use the following procedure to enable user and group management or AWS Directory Service Data for an existing AWS Managed Microsoft AD with either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

------
#### [ AWS Management Console ]

You can enable user and group management with the AWS Management Console.

**To enable user and group management**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1. On the **Directory details** page, to enable user and group management, select **Enable**.

1. In the **Enable user and group management** dialog box, select **Enable**.

------
#### [ AWS CLI ]

 The following describes how to format a request that enables the AWS Directory Service Data CLI. You must include your Directory ID number in your request.

**Note**  
The enable AWS Directory Service Data CLI commands use `aws ds`.

**To enable AWS Directory Service Data CLI**
+  Open the AWS CLI, and run the following command, replacing the Directory ID with your AWS Managed Microsoft AD Directory ID: 

```
aws ds enable-directory-data-access --directory-id d-1234567890
```

------
#### [ AWS Tools for PowerShell ]

**To enable Directory Service Data with Tools for PowerShell**
+  Open PowerShell, and run the following command, replacing the Directory ID with your AWS Managed Microsoft AD Directory ID: 

```
Enable-DSDirectoryDataAccess -DirectoryId d-1234567890
```

------

## Disabling AWS Directory Service Data
<a name="ms_ad_user_group_mgmt_disable"></a>

Use the following procedure to disable user and group management or AWS Directory Service Data for an existing AWS Managed Microsoft AD with either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

------
#### [ AWS Management Console ]

You can disable user and group management with the AWS Management Console.

**To disable user and group management**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1. On the **Directory details** page, to disable user and group management, select **Disable**.

1. In the **Disable user and group management** dialog box, select **Disable**.

------
#### [ AWS CLI ]

 The following describes how to format a request that disables the AWS Directory Service Data CLI. You must include your Directory ID number in your request. 

**Note**  
The disable AWS Directory Service Data CLI commands use `aws ds`.

**To disable AWS Directory Service Data CLI**
+  Open the AWS CLI, and run the following command, replacing the Directory ID with your AWS Managed Microsoft AD Directory ID: 

```
aws ds disable-directory-data-access --directory-id d-1234567890
```

------
#### [ AWS Tools for PowerShell ]

**To disable Directory Service Data with Tools for PowerShell**
+  Open PowerShell, and run the following command, replacing the Directory ID with your AWS Managed Microsoft AD Directory ID: 

```
Disable-DSDirectoryDataAccess -DirectoryId d-123456789
```

------

# Creating an AWS Managed Microsoft AD user
<a name="ms_ad_create_user"></a>

Use the following procedure to create a new AWS Managed Microsoft AD user with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

**Before you begin either procedure, you need to complete the following:**
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).

------
#### [ AWS Management Console ]

 You can create a new AWS Managed Microsoft AD user account in the AWS Management Console. When you create a new user account, you specify the new user's details and determine whether to add the new user to a group or copy another user's group memberships into the new user. 

For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md).

**To create an AWS Managed Microsoft AD user with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  On the **Directory details** page, under the **Users** section, choose **Create users account**.

1. The **Specify user details** page opens. Under the **Required information** section, enter a user logon name and password. User logon names must meet the following conditions:
   + Must be a unique logon name
   + Can be up to 20 characters long
   + Can only contain alphanumeric characters
   + \$1\$1@\$1\$1%^&\$1\$1-\$1=`\$1\$1()\$1\$1[]:;"'<>,.?/
   + The password must adhere to your password policy requirements. Check with your AWS administrator for more information.
**Warning**  
The user logon name cannot be changed after the user is created.

   1. *(Optional)* Under the **Primary information** section, you can enter a first and last name for the user. You can also enter a display name and description for the user.

   1. *(Optional)* Under the **Contact methods** section, you can enter an email address and telephone numbers for the user.

   1. *(Optional)* Under the **Job-related information** section, you can enter a department, manager, office, and company for the user.

   1. *(Optional)* Under the **Address** section, you can enter an address for the user.

   1. *(Optional)* Under the **Account settings** section, you can enter notes, a preferred language, and service principal name for the user.

      For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes).

1. Choose **Next** once you've provided the user account details.

1. On the **Add users to groups - *optional*** page, you can add the user to a new group or to an existing group. You can also copy the group membership of an existing user to the new user. If you don't want to add a user to a group, choose **Next**. Move to Step 12 to continue this procedure.

1. *(Optional)* To create a new group, see [Create a AWS Managed Microsoft AD group](ms_ad_create_group.md).

1. *(Optional)* To add a new user to an existing group:

   1. Select the group you want to add the new user to in the **Groups** section. To find groups, enter the group name in the search box. 

1. *(Optional)* To copy the group membership of an existing user to a new user:

   1. Choose the **Copy group membership from user** tab. To find a user with a group membership you want to copy, enter the user logon name in the search box under the **Users** section.

   1. In the **Selected groups** section, select the groups the new user should become a member of.

1. Choose **Next** when you're ready to create the new user account.

1. On the **Review and create user** page, review all the choices you made. Choose **Create user**.

1. After the user is configured, you've taken to the new user's details page. A banner appears stating the user was successfully created.

**Important**  
 If you receive an error message telling you that you don't have permission to create a user, follow the instructions in the error message to request that your administrator grant you access. 

------
#### [ AWS CLI ]

 The following describes how to format a request that creates a new AWS Managed Microsoft AD user account with the AWS Directory Service Data CLI. You must include your directory ID number and a user logon name in your request. You can also include other attributes, such as a user display name with the `DisplayName` attribute. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md).

**To create an AWS Managed Microsoft AD user with AWS CLI**
+  Open the AWS CLI, and run the following command, replacing the Directory ID, username, and display name with your AWS Managed Microsoft AD Directory ID and desired credentials: 

```
aws ds-data create-user \
  --directory-id d-1234567890 \
  --sam-account-name "jane.doe" \
  --other-attributes '{
    "DisplayName" : { "S": "jane.doe"},
    "Department":{ "S": "Legal"}
    }‘
```

------
#### [ AWS Tools for PowerShell ]

 The following describes how to format a request that creates a new AWS Managed Microsoft AD user account with AWS Tools for PowerShell. You must include your directory ID number and a user logon name in your request. You can also include other attributes, such as a user display name with the `DisplayName` attribute. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md).

**To create an AWS Managed Microsoft AD user with Tools for PowerShell**
+  Open PowerShell, and run the following command, replacing the Directory ID, username, and display name with your AWS Managed Microsoft AD Directory ID and desired credentials: 

```
New-DSDUser `
    -DirectoryId d-1234567890 `
    -SAMAccountName "jane.doe" `
    -OtherAttribute @{
        DisplayName = [Amazon.DirectoryServiceData.Model.AttributeValue]@{S = 'jane.doe' }
        Department = [Amazon.DirectoryServiceData.Model.AttributeValue]@{S = 'Legal' }
    }
```

------

# Viewing and updating an AWS Managed Microsoft AD user
<a name="ms_ad_view_update_user"></a>

Use the following procedure to view or update an AWS Managed Microsoft AD user's details with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

## Viewing an AWS Managed Microsoft AD user's details
<a name="ms_ad_view_user"></a>

You can view a user's details in the AWS Management Console or AWS CLI. The user's details includes profile and account information and group membership.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md).

------
#### [ AWS Management Console ]

 You can view an AWS Managed Microsoft AD user's details in the AWS Management Console.

**To view an AWS Managed Microsoft AD user's details and account details with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Users**. The tab shows a list of users in your directory. 

1.  Select a user. You're directed to the **User details** screen. The **User details** screen shows the following information: 
   +  Groups the user is a member of (group memberships) 
   +  Profile details (such as primary information like user logon name, first name, last name, etc.) 
   +  Account settings (such as account information like user principal name, service principal name, distinguished name, etc.) 
   + Account status

For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes).

------
#### [ AWS CLI ]

 With the AWS CLI, you can view a user's details, which includes profile and account information and group memberships. 

**To view an AWS Managed Microsoft AD user's profile and account details with the AWS CLI**  
 The following describes how to view an AWS Managed Microsoft AD user's details with the AWS Directory Service Data CLI. 
+  To view a user's details, open the AWS CLI, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: 

```
aws ds-data describe-user --directory-id d-1234567890 --sam-account-name "jane.doe"
```

**To view a user's group memberships**  
 The following describes how to view an AWS Managed Microsoft AD user's group membership with the AWS Directory Service Data CLI. 
+  To view a user's group memberships, open the AWS CLI, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: 

```
aws ds-data list-groups-for-member --directory-id d-1234567890 --sam-account-name "jane.doe"
```

For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes).

------
#### [ AWS Tools for PowerShell ]

 With Tools for PowerShell, you can view a user's details, which includes profile and account information and group memberships. 

**To view an AWS Managed Microsoft AD user's profile and account details with Tools for PowerShell**  
 The following describes how to view an AWS Managed Microsoft AD user's details with the Tools for PowerShell. 
+ To view a user's details, open the PowerShell, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: 

```
Get-DSDUser -DirectoryId d-1234567890 -SAMAccountName "jane.doe"
```

**To view a user's group memberships**  
 The following describes how to view an AWS Managed Microsoft AD user's group membership with the Tools for PowerShell. 
+ To view a user's group memberships, open the PowerShell, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: 

```
(Get-DSDGroupsForMemberList -DirectoryId d-1234567890 -SAMAccountName "jane.doe").Groups
```

For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes).

------

## Updating an AWS Managed Microsoft AD user's details
<a name="ms_ad_update_user"></a>

Use the following procedure to update an AWS Managed Microsoft AD user with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, AWS Tools for PowerShell.

**Note**  
The minimum attribute length is 1.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md).

------
#### [ AWS Management Console ]

 You can update an AWS Managed Microsoft AD user's details in the AWS Management Console.

**To update an AWS Managed Microsoft AD user's details with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Users**. The tab shows a list of users in your directory. 

1.  Select a user. To find a user, enter the user logon name in the search box under the **Users** section. You're directed to the **User details** screen. 

1.  To edit groups the user is a member of, choose **Groups**. From this tab, you can add and remove the user from groups. For more information, see [Add an AWS Managed Microsoft AD member to a group](ms_ad_add_remove_user_group.md). 

1. To edit the user's profile details, choose **Profile**, and then choose **Edit**. Or choose **Actions**, and then choose **Edit user**. Make and review your updates, and then choose **Save**. 
**Warning**  
The user logon name cannot be changed after the user is created.

1.  To edit the user's account settings, choose **User account settings**. Or choose **Actions**, and then choose **Edit user**. Make and review your updates, and then choose **Save**. 

For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes).

------
#### [ AWS CLI ]

 The following describes how to format a request that updates an AWS Managed Microsoft AD user's details with AWS Directory Service Data CLI.

 When you update a user's account, you must include your directory ID number and user logon name. You also must include the update type and attribute you want to update in your request, such as a user last name with the `Surname` parameter. For more information, see [AWS Directory Service Data attributes](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_data_attributes.html). 
+  To update a user's details, open the AWS CLI, and run the following command, replacing the Directory ID, username, user type, and attribute value with your AWS Managed Microsoft AD Directory ID, username, and desired user type and attribute value: 

```
aws ds-data update-user --directory-id d-1234567890 --sam-account-name "jane.doe" --update-type "REPLACE" --surname "Doe"
```

**Note**  
When removing user attributes with [update-user](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ds-data/update-user.html) CLI command, you must specify the attribute and the exact value to be removed. To determine user attributes, use [describe-user](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ds-data/describe-user.html) command.

For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes).

------
#### [ AWS Tools for PowerShell ]

 The following describes how to format a request that updates an AWS Managed Microsoft AD user's details with AWS Tools for PowerShell.

 When you update a user's account, you must include your directory ID number and user logon name. You also must include the update type and attribute you want to update in your request, such as a user last name with the `Surname` parameter. For more information, see [AWS Directory Service Data attributes](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_data_attributes.html). 
+  To update a user's details, open the PowerShell, and run the following command, replacing the Directory ID, username, user type, and attribute value with your AWS Managed Microsoft AD Directory ID, username, and desired user type and attribute value: 

```
Update-DSDUser -DirectoryId d-1234567890 -SAMAccountName "jane.doe" -UpdateType "REPLACE" -Surname "Doe"
```

For more information on user attributes, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/ad/user-object-attributes).

------

# Deleting an AWS Managed Microsoft AD user
<a name="ms_ad_delete_user"></a>

Use the following procedure to delete an AWS Managed Microsoft AD user with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, AWS Tools for PowerShell.

**Important**  
When you delete a user's account from a directory, all information about the user is removed, including any permissions the user has to access their account and applications. 

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md).

------
#### [ AWS Management Console ]

 You can delete an AWS Managed Microsoft AD user account in the AWS Management Console. 

**To delete an AWS Managed Microsoft AD user account with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Users**. The tab shows a list of users in your directory. 

1.  Choose the user whose account you want to delete. To find a user, enter the user logon name in the search box under the **Users** section. You're directed to the **User details** screen. 

1.  Choose **Actions**. Then choose **Delete user account** and **Delete user account** again. 

------
#### [ AWS CLI ]

 The following describes how to format a request that deletes an AWS Managed Microsoft AD user's account with the AWS Directory Service Data CLI.

**To delete an AWS Managed Microsoft AD user account with AWS CLI**
+  Open the AWS CLI, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: 

```
aws ds-data delete-user --directory-id d-1234567890 --sam-account-name "jane.doe"
```

------
#### [ AWS Tools for PowerShell ]

 The following describes how to format a request that deletes an AWS Managed Microsoft AD user's account with AWS Tools for PowerShell.

**To delete an AWS Managed Microsoft AD user account with AWS Tools for PowerShell**
+  Open PowerShell, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: 

```
Remove-DSDUser -DirectoryId d-1234567890 -SAMAccountName "jane.doe"
```

------

# Disabling an AWS Managed Microsoft AD user
<a name="ms_ad_disable_user"></a>

Use the following procedure to disable an AWS Managed Microsoft AD user with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

**Important**  
When you disable a user's account, the user loses any permissions to access their account and applications. 

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md).

------
#### [ AWS Management Console ]

 You can disable an AWS Managed Microsoft AD user account in the AWS Management Console.

**To disable an AWS Managed Microsoft AD user account with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Users**. The tab shows a list of users in your directory. 

1.  Choose the user whose account you want to disable. You're directed to the **User details** screen. 

1.  Choose **Actions**. Then choose **Disable user account** and **Disable user account** again. 

**Note**  
 To re-enable your user's account, you must reset the user's password. For more information, see [Resetting and enabling an AWS Managed Microsoft AD user's password](ms_ad_reset_user_pswd.md). 

------
#### [ AWS CLI ]

 The following describes how to format a request that disables an AWS Managed Microsoft AD user account with the AWS Directory Service Data CLI.

**To disable an AWS Managed Microsoft AD user account with the AWS CLI**
+  Open the AWS CLI, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: 

```
aws ds-data disable-user --directory-id d-1234567890 --sam-account-name "jane.doe"
```

**Note**  
 To re-enable your user account, you must reset the user's password. For more information, see [Resetting and enabling an AWS Managed Microsoft AD user's password](ms_ad_reset_user_pswd.md).

------
#### [ AWS Tools for PowerShell ]

 The following describes how to format a request that disables an AWS Managed Microsoft AD user account with AWS Tools for PowerShell.

**To disable an AWS Managed Microsoft AD user account with AWS Tools for PowerShell**
+  Open PowerShell;, and run the following command, replacing the Directory ID and username with your AWS Managed Microsoft AD Directory ID and username: 

```
Disable-DSDUser -DirectoryId d-1234567890 -SAMAccountName "jane.doe"
```

**Note**  
 To re-enable your user account, you must reset the user's password. For more information, see [Resetting and enabling an AWS Managed Microsoft AD user's password](ms_ad_reset_user_pswd.md).

------

# Resetting and enabling an AWS Managed Microsoft AD user's password
<a name="ms_ad_reset_user_pswd"></a>

Use the following procedure to reset an AWS Managed Microsoft AD user's password to enable their account with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, AWS Tools for PowerShell.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Creating an AWS Managed Microsoft AD user](ms_ad_create_user.md).

------
#### [ AWS Management Console ]

 You can reset an AWS Managed Microsoft AD user's password to enable their account in the AWS Management Console. You can perform this task from either the **Directories** screen or **Directory details** screen.

**Directories**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose **Actions**, and then choose **Reset user password and enable account**. 

   1.  Under **User logon name**, enter the user logon name for the user whose password you want to reset. 

   1.  Under **New password**, enter the user's new password. 

   1.  Under **Confirm password**, enter user's new password again. 

1.  After you confirm the user's new password, choose **Reset password and enable account**. 

**Directory details**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Users**. The tab shows a list of users in your directory. 

1.  Select the user whose password you want to reset. 

1.  Choose **Actions**, and then choose **Reset user password and enable account**. 

   1.  Under **New password**, enter the user's new password. 

   1.  Under **Confirm password**, enter user's new password again. 

1.  After you confirm the user's new password, choose **Reset password and enable account**. 

------
#### [ AWS CLI ]

 You can reset an AWS Managed Microsoft AD use's password to enable their account with the AWS Directory Service Data CLI.

**Note**  
The reset user's password command uses `aws ds`.

**To reset an AWS Managed Microsoft AD user's password with the AWS CLI**
+  To reset a user's password, open the AWS CLI, and run the following command, replacing the Directory ID, username, and password with your AWS Managed Microsoft AD Directory ID, username, and desired credentials: 

```
aws ds reset-user-password --directory-id d-1234567890 --user-name "jane.doe" --new-password "your-password"
```

------
#### [ AWS Tools for PowerShell ]

 You can reset an AWS Managed Microsoft AD use's password to enable their account with AWS Tools for PowerShell.

**To reset an AWS Managed Microsoft AD user's password with AWS Tools for PowerShell**
+  To reset a user's password, open the PowerShell, and run the following command, replacing the Directory ID, username, and password with your AWS Managed Microsoft AD Directory ID, username, and desired credentials: 

```
Reset-DSUserPassword -DirectoryId d-1234567890 -UserName "jane.doe" -NewPassword "your-password"
```

------

# Creating an AWS Managed Microsoft AD group
<a name="ms_ad_create_group"></a>

Use the following procedure to create an AWS Managed Microsoft AD group with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).

------
#### [ AWS Management Console ]

 You can create a new AWS Managed Microsoft AD group in the AWS Management Console. When you create a new group, you specify the group's details and determine the [group's type and scope](ad_group_type_and_scope.md). You also have the option to add users and child groups to your new group or add your new group to a parent group.

**To create an AWS Managed Microsoft AD group with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Group**. The tab shows a list of groups in your AWS Region. 

1.  Choose **Create group**. You're directed to a procedure where you finish creating your new group. 

1. The **Specify group details** page opens. Enter a **Group name**. Group names must meet the following conditions:
   + Must be unique group name
   + Can be up to 64 characters long
   + Can only contain alphanumeric characters
   + \$1\$1@\$1\$1%^&\$1\$1-\$1=`\$1\$1()\$1\$1[]:;"'<>,.?/
**Warning**  
The group name cannot be changed after the group is created.

1. Choose the **Group type** from one of the following:
   + **Security**
   + **Distribution**
     + To learn more, see [Group type](ad_group_type_and_scope.md#ad_group_type).

1. Choose the **Group scope** from one of the following:
   + **Domain local**
   + **Universal**
   + **Global**
     + You can turn on **Compare scopes** to display a chart of the similarities and differences between group scopes. To learn more, see [Group scope](ad_group_type_and_scope.md#ad_group_scope).

1. After providing the primary information and contact methods, choose **Next**.

1. The **Add users to group - *Optional*** page opens and you can add users to the new group. To find a user to add to the group, enter the user logon name in the search box under the **Users** section. Select the users you want to add to the group and choose **Next**.

1. The **Add child groups - *Optional*** page opens and you can add existing groups to the new group. The existing groups becomes child groups of the newly created group. When you add a child group to your group, your group becomes the parent group, and the child group inherits all of your group's roles and permissions. To find groups to add, enter the group name in the search box under the **Add child groups** section. Select the children groups you want to add to the new group and choose **Next**.

1. The **Add parent groups - *Optional*** page opens and you can add the new group to existing groups. The new group becomes the parent group of the existing groups. When you add your group to a parent group, your group becomes the child group and inherits all of the parent group's roles and permissions. To find groups to add, enter the group name in the search box under the **Add parent groups** section. Select the parent groups you want to add to the new group and choose **Next**.

1. On the **Review and create group** page, review your choices, and then choose **Create group**.

------
#### [ AWS CLI ]

 The following describes how to format a request that creates an AWS Managed Microsoft AD group with the AWS Directory Service Data CLI. When you create a new group, you must include your Directory ID number and a group name. You can also add other attributes, such as a group display name with the `DisplayName` attribute. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). 

**To create an AWS Managed Microsoft AD group with the AWS CLI**
+  Open the AWS CLI, and run the following command, replacing the Directory ID, username and group display name with your AWS Managed Microsoft AD Directory ID, username, and desired group display name: 

```
aws ds-data create-group \
    --directory-id d-1234567890 \
    --sam-account-name "your-group-name" \
    --other-attributes '{
        "DisplayName": { "S": "myGroupDisplayName"}
        "Description":{ "S": "myGroupDescription"}
    }'
```

------
#### [ AWS Tools for PowerShell ]

 The following describes how to format a request that creates an AWS Managed Microsoft AD group with AWS Tools for PowerShell. When you create a new group, you must include your Directory ID number and a group name. You can also add other attributes, such as a group display name with the `DisplayName` attribute. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). 

**To create an AWS Managed Microsoft AD group with AWS Tools for PowerShell**
+  Open PowerShell, and run the following command, replacing the Directory ID, username and group display name with your AWS Managed Microsoft AD Directory ID, username, and desired group display name:

```
New-DSDGroup `
    -DirectoryId d-1234567890 `
    -SAMAccountName "your-group-name" `
    -OtherAttribute @{
        DisplayName = [Amazon.DirectoryServiceData.Model.AttributeValue]@{S = 'myGroupDisplayName' }
        Description = [Amazon.DirectoryServiceData.Model.AttributeValue]@{S = 'myGroupDescription' }
    }
```

------

# Viewing and updating an AWS Managed Microsoft AD group's details
<a name="ms_ad_view_update_group"></a>

Use the following procedure to view or update an AWS Managed Microsoft AD group's details with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

## Viewing an AWS Managed Microsoft AD group's detail
<a name="ms_ad_view_group"></a>

You can view or update a group's details in the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Creating an AWS Managed Microsoft AD group](ms_ad_create_group.md).

------
#### [ AWS Management Console ]

 You can view an AWS Managed Microsoft AD group's details in the AWS Management Console.

**To view AWS Managed Microsoft AD group's details with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1. From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Group**. The tab shows a list of groups in your AWS Region. 

1.  Choose a group. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. The **Group details** screen shows the following information: 
   +  **Member** tab lists the users and child groups that are members of your group.
   +  **Parent groups** tab lists the parent groups that your group is a member of.
   +  **Properties** tab lists the group properties (such as primary information like group name, group display name, etc.).

------
#### [ AWS CLI ]

 You can view an AWS Managed Microsoft AD group's details with the AWS Directory Service Data CLI. 

**To view an AWS Managed Microsoft AD group's details with the AWS CLI**  
 The following describes how to view an AWS Managed Microsoft AD group's details with the AWS CLI. 
+  To view a group's details, open the AWS CLI, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: 

```
aws ds-data describe-group --directory-id d-1234567890 --sam-account-name "your-group-name"
```

**To view an AWS Managed Microsoft AD group's group members with the AWS CLI**  
 The following describes how to view an AWS Managed Microsoft AD group's members with the AWS CLI. 
+  To view a group's details, open the AWS CLI, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: 

```
aws ds-data list-group-members --directory-id d-1234567890 --sam-account-name "your-group-name"
```

------
#### [ AWS Tools for PowerShell ]

 You can view an AWS Managed Microsoft AD group's details with AWS Tools for PowerShell. 

**To view an AWS Managed Microsoft AD group's details with AWS Tools for PowerShell**  
 The following describes how to view an AWS Managed Microsoft AD group's details with the Tools for PowerShell.
+ To view a group's details, open the PowerShell, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: 

```
Get-DSDGroup -DirectoryId d-1234567890 -SAMAccountName "your-group-name"
```

**To view an AWS Managed Microsoft AD group's group members with AWS Tools for PowerShell**  
 The following describes how to view an AWS Managed Microsoft AD group's members with the Tools for PowerShell.
+  To view a group's details, open the PowerShell, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: 

```
(Get-DSDGroupMemberList -DirectoryId d-1234567890 -SAMAccountName "your-group-name").Members
```

------

## Updating an AWS Managed Microsoft AD group's details
<a name="ms_ad_update_group"></a>

Use the following procedure to update an AWS Managed Microsoft AD group's details with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Creating an AWS Managed Microsoft AD group](ms_ad_create_group.md).

------
#### [ AWS Management Console ]

You can update a group's details with the AWS Management Console. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md)

**To update an AWS Managed Microsoft AD group's details with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Group**. The tab shows a list of groups in your AWS Region. 

1.  Choose a group. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. 

1.  To edit users and child groups that are members of your group, choose **Members**. From this tab, you can add and remove users and child groups from your group. For more information, see [Adding and removing members to groups and groups to groups](ms_ad_add_remove_user_group.md). 

1.  To edit parent groups that your group is a member of, choose **Parent groups**. From this tab, you can add and remove your group from parent groups. For more information, see [Adding and removing members to groups and groups to groups](ms_ad_add_remove_user_group.md).

1.  To edit your group properties, choose **Properties**, and then choose **Edit**. Or choose **Actions**, and then choose **Edit group**. Make and review your updates, and then choose **Save**. 

------
#### [ AWS CLI ]

 The following describes how to format a request that updates an AWS Managed Microsoft AD group's details with the AWS Directory Service Data CLI. 

 When you update a group, you must include your directory ID number and group name. You also must include the update type and attribute you want to update in your request, such as a group email address with the `EmailAddress` parameter. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). 
+ 

**To update an AWS Managed Microsoft AD group's details with the AWS CLI**

   To update a group's details, open the AWS CLI, and run the following command, replacing the Directory ID, group name, update type, and attribute with your AWS Managed Microsoft AD Directory ID, group name, and desired update type and attribute: 

```
aws ds-data update-group --directory-id d-1234567890 --sam-account-name "your-group-name" --update-type "REPLACE" --group-scope "global"
```

------
#### [ AWS Tools for PowerShell ]

 The following describes how to format a request that updates an AWS Managed Microsoft AD group's details with AWS Tools for PowerShell. 

 When you update a group, you must include your directory ID number and group name. You also must include the update type and attribute you want to update in your request, such as a group email address with the `EmailAddress` parameter. For more information, see [AWS Directory Service Data attributes](ad_data_attributes.md) and [Group type and group scope](ad_group_type_and_scope.md). 
+ 

**To update an AWS Managed Microsoft AD group's details with AWS Tools for PowerShell**

   To update a group's details, open the PowerShell, and run the following command, replacing the Directory ID, group name, update type, and attribute with your AWS Managed Microsoft AD Directory ID, group name, and desired update type and attribute: 

```
Update-DSDGroup -DirectoryId d-1234567890 -SAMAccountName "your-group-name" -UpdateType "REPLACE" -GroupScope "global"
```

------

# Deleting an AWS Managed Microsoft AD group
<a name="ms_ad_delete_group"></a>

Use the following procedure to delete an AWS Managed Microsoft AD group with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

**Important**  
When you delete a group, all information about the group is removed, including any permissions that group members inherit.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md).

------
#### [ AWS Management Console ]

 You can delete an AWS Managed Microsoft AD group in the AWS Management Console.

**To delete an AWS Managed Microsoft AD group with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Group**. The tab shows a list of groups in your AWS Region. 

1.  Choose the group that you want to delete. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. 

1.  Choose **Delete group**. A dialog box appears where you can choose **Confirm** to delete the group. 

------
#### [ AWS CLI ]

 The following describes how to format a request that deletes an AWS Managed Microsoft AD group with the AWS Directory Service Data CLI.

**To delete an AWS Managed Microsoft AD group with the AWS CLI**
+  Open the AWS CLI, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: 

```
aws ds-data delete-group --directory-id d-1234567890 --sam-account-name "your-group-name"
```

------
#### [ AWS Tools for PowerShell ]

 The following describes how to format a request that deletes an AWS Managed Microsoft AD group with the AWS Tools for PowerShell.

**To delete an AWS Managed Microsoft AD group with the AWS Tools for PowerShell**
+  Open PowerShell, and run the following command, replacing the Directory ID and group name with your AWS Managed Microsoft AD Directory ID and group name: 

```
Remove-DSDGroup -DirectoryId d-1234567890 -SAMAccountName "your-group-name"
```

------

# Adding and removing AWS Managed Microsoft AD members to groups and groups to groups
<a name="ms_ad_add_remove_user_group"></a>

 With the [AWS Directory Service Data API](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html), a member can be a user, group, or computer. A user represents a person or entity that can access your directory. Groups allow you to grant and deny permissions to more than one user at a time. 

Use the following procedures to add or remove an AWS Managed Microsoft AD user to a group or group to another group with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell. 

## Adding a user to a group
<a name="add_user_to_group"></a>

Use the following procedure to add an AWS Managed Microsoft AD user to a group with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

**Important**  
 When you add an AWS Managed Microsoft AD user to a group, the user inherits the roles and permissions assigned to the group. These roles and permissions are part of the user's group memberships.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Create an AWS Managed Microsoft AD user](ms_ad_create_user.md).
+ [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md).

------
#### [ AWS Management Console ]

You can add an AWS Managed Microsoft AD member to a group with the AWS Management Console.

**To add AWS Managed Microsoft AD user to a group with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Groups**. To find groups, enter the group name in the search box under the **Groups** section. The tab shows a list of groups in your AWS Region. 

1.  Choose a group. You're directed to the **Group details** screen. 

1.  Choose **Members**. The tab shows a list of users and child groups by member type in your group. 

1.  Under **Members** tab, Choose **Add member**. 

1.  Under **Members**, select the user you want to add to your group, and then choose **Add member to group**. To find members, enter the user logon name for users and group name for groups in the search box under the **Members** section. 

------
#### [ AWS CLI ]

 The following describes how to format a request that adds an AWS Managed Microsoft AD member to a group with the AWS Directory Service Data CLI. 

**To add an AWS Managed Microsoft AD user to a group with the AWS CLI**
+  To add a user to a group, open the AWS CLI, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID and group and member names: 

```
aws ds-data add-group-member --directory-id d-1234567890 --group-name "your-group-name" --member-name "jane.doe"
```

------
#### [ AWS Tools for PowerShell ]

 The following describes how to format a request that adds an AWS Managed Microsoft AD member to a group with AWS Tools for PowerShell. 

**To add an AWS Managed Microsoft AD user to a group with AWS Tools for PowerShell**
+  To add a user to a group, open the PowerShell, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID and group and member names: 

```
Add-DSDGroupMember -DirectoryId d-1234567890 -GroupName "your-group-name" -MemberName "jane.doe"
```

------

## Removing a user from a group
<a name="remove_user_from_group"></a>

 With the [AWS Directory Service Data API](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html), a member can be a user, group, or computer. A user represents a person or entity that can access your directory. Groups allow you to grant and deny permissions to more than one user at a time. 

Use the following procedure to remove an AWS Managed Microsoft AD user to a group with user and group management or AWS Directory Service Data in either the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.

**Important**  
 When you remove an AWS Managed Microsoft AD user from a group, the user loses access to the roles and permissions assigned to the group. These roles and permissions are part of the group's memberships.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Create an AWS Managed Microsoft AD user](ms_ad_create_user.md).
+ [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md).

------
#### [ AWS Management Console ]

You can remove an AWS Managed Microsoft AD member from a group with the AWS Management Console.

**To remove an AWS Managed Microsoft AD user from a group with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Groups**. The tab shows a list of groups in your AWS Region. 

1.  Choose a group. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. 

1.  Choose **Members**. The tab shows a list of users and child groups by member type in your group. 

1.  Select the user you want to remove from your group, and then choose **Remove**. To find users, enter the user logon name in the search box under the **Members** section.

1.  Confirm that you want to remove the user from your group, and then choose **Remove** again. 

------
#### [ AWS CLI ]

 The following describes how to format a request that removes an AWS Managed Microsoft AD member from a group with the AWS Directory Service Data CLI.

**To remove an AWS Managed Microsoft AD user from a group with AWS CLI**
+  To remove a user to a group, open the AWS CLI, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: 

```
aws ds-data remove-group-member --directory-id d-1234567890 --group-name "your-group-name" --member-name "jane.doe"
```

------
#### [ AWS Tools for PowerShell ]

 The following describes how to format a request that removes an AWS Managed Microsoft AD member from a group with AWS Tools for PowerShell.

**To remove an AWS Managed Microsoft AD user from a group with AWS Tools for PowerShell**
+  To remove a user to a group, open the PowerShell, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: 

```
Remove-DSDGroupMember -DirectoryId d-1234567890 -GroupName "your-group-name" -MemberName "jane.doe"
```

------

## Adding a group to a group
<a name="add_group_to_group"></a>

When you add an AWS Managed Microsoft AD group to another group, the groups share a parent-child relationship. The child group gains access to the roles and permissions that are assigned to the parent group. You can add a child group to your group and your group to a parent group.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md).

------
#### [ AWS Management Console ]

You can add an AWS Managed Microsoft AD group to a group with the AWS Management Console.

**To add a child group to your group with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Groups**. The tab shows a list of groups in your AWS Region. 

1.  Choose a group. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. 

1.  Choose **Members**. The tab shows a list of users and child groups by member type in your group. 

1.  Choose **Add member**. 

1.  Under **Members**, select the child group(s) you want to add to your group, and then choose **Add member to group**.

**To add a parent group to a group with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Groups**. The tab shows a list of groups in your AWS Region. 

1.  Choose a group. To find groups, enter the group name in the search box under the **Groups** section. You're directed to the **Group details** screen. 

1.  Choose **Parent groups**. The tab shows a list of groups that your group is a member of. 

1.  Choose **Add parent groups**. 

1.  Under **Groups**, select the group(s) you want to add your group to, and then choose **Add parent groups** again.

------
#### [ AWS CLI ]

 The following describes how to format a request that adds an AWS Managed Microsoft AD group to a group with the AWS Directory Service Data CLI. 

**To add a child group to your group with the AWS CLI**
+  To add a child group to a parent group, open the AWS CLI, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: 

```
aws ds-data add-group-member --directory-id d-1234567890 --group-name "parent-group-name" --member-name "child-group-name"
```

------
#### [ AWS Tools for PowerShell ]

 The following describes how to format a request that adds an AWS Managed Microsoft AD group to a group with AWS Tools for PowerShell. 

**To add a child group to your group with AWS Tools for PowerShell**
+  To add a child group to a parent group, open the PowerShell, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: 

```
Add-DSDGroupMember -DirectoryId d-1234567890 -GroupName "parent-group-name" -MemberName "child-group-name"
```

------

## Removing a group from a group
<a name="remove_group_from_group"></a>

 When you remove an AWS Managed Microsoft AD group from another group, the groups no longer share a parent-child relationship. The child group loses access to the roles and permissions that are assigned to the parent group. You can remove a child group from your group and your group from a parent group.

**Before you begin either procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md).

------
#### [ AWS Management Console ]

 You can remove an AWS Managed Microsoft AD group to a group with the AWS Management Console.

**To remove a child group from your group with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Groups**. The tab shows a list of groups in your AWS Region. 

1.  Choose a group. You're directed to the **Group details** screen. To find groups, enter the group name in the search box under the **Groups** section. 

1.  Choose **Members**. The tab shows a list of users and child groups by member type in your group. 

1.  Select the child group(s) you want to remove from your group, and then choose **Remove**.

1.  Confirm the child group(s) you want to remove from your group, and then choose **Remove** again. 

**To remove your group from a parent group with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Groups**. The tab shows a list of groups in your AWS Region. 

1.  Choose a group. You're directed to the **Group details** screen. To find groups, enter the group name in the search box under the **Groups** section. 

1.  Choose **Parent groups**. The tab shows a list of groups that your group is a member of. 

1.  Select the parent group you want to remove your group from, and then choose **Remove parent groups**. 

1.  Confirm the parent group you want to remove your group from, and then choose **Remove parent groups** again. 

------
#### [ AWS CLI ]

The following describes how to format a request that removes an AWS Managed Microsoft AD group to a group with the AWS Directory Service Data CLI. 
+ 

**To remove a child group from a parent group with the AWS CLI**

   To add remove a child group from a parent group, open the AWS CLI, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: 

```
aws ds-data remove-group-member --directory-id d-1234567890 --group-name "parent-group-name" --member-name "child-group-name"
```

------
#### [ AWS Tools for PowerShell ]

The following describes how to format a request that removes an AWS Managed Microsoft AD group to a group with AWS Tools for PowerShell. 
+ 

**To remove a child group from a parent group with AWS Tools for PowerShell**

   To add remove a child group from a parent group, open the PowerShell, and run the following command, replacing the Directory ID, group and member names with your AWS Managed Microsoft AD Directory ID, group and member names: 

```
Remove-DSDGroupMember -DirectoryId d-1234567890 -GroupName "parent-group-name" -MemberName "child-group-name"
```

------

# Copying an AWS Managed Microsoft AD group memberships in the AWS Management Console
<a name="copy_group_membership"></a>

 You can copy group memberships from one AWS Managed Microsoft AD user into another user in the AWS Management Console. Group memberships are the roles and permissions that a user inherits when you add them to a group. 

**Before you begin this procedure, you need to complete the following:**
+ [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see [Enable user and group management or Directory Service Data](ms_ad_users_groups_mgmt_enable_disable.md).
+  You can only enable this feature from the Primary AWS Region for your directory. For more information, see [Primary vs additional Regions](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/multi-region-global-primary-additional.html).
+ You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see [Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). To get started granting permissions to your users and workloads, you can use AWS managed policies like [AWS managed policy: AWSDirectoryServiceDataFullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataFullAccess) or [AWS managed policy: AWSDirectoryServiceDataReadOnlyAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSDirectoryServiceDataReadOnlyAccess). For more information, see [Security best practices in IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies).
+ [Create an AWS Managed Microsoft AD group](ms_ad_create_group.md).

**To copy AWS Managed Microsoft AD group memberships with the AWS Management Console**

1. Open the Directory Service console at [https://console.aws.amazon.com/directoryservicev2/](https://console.aws.amazon.com/directoryservicev2/).

1.  From the navigation pane, choose **Active Directory**, and then choose **Directories**. You're directed to the **Directories** screen where you can view a list of directories in your AWS Region. 

1.  Choose a directory. You're directed to the **Directory details** screen. 

1.  Choose **Groups**. The tab shows a list of groups in your AWS Region. 

1. Choose the user whose account you want to copy their group membership. To find a user, enter the user logon name in the search box under the **Users** section. You're directed to the **User details** screen.

1.  Choose **Copy all group memberships**. You're directed to a procedure where you can specify which groups you want to copy. 

   1.  For **Verify groups to copy**, under **Groups to copy**, select the groups with roles and permissions you want to copy, and then choose **Next**. 

   1.  For **Select destination account**, under **Account type**, choose **Existing user account** to copy group memberships into an existing user account. Alternatively, choose **New user account** to create a new user and copy group memberships into the new user account. To find a group, enter the group's name in the search box under the **Selected groups** section. 

      1. *(Optional)* If you choose **Existing user account**, select destination accounts where you want to copy the roles and permissions into, and then choose **Next**. 

      1. *(Optional)* If you choose **New user account**, complete the procedure, and then choose **Next**. For information about creating a user, see [Creating a user](ms_ad_create_user.md). 

   1.  For **Review and copy group memberships**, review your choices, and then choose **Copy group membership**.