Forum Discussion
Why is an AAD DC Administrator not a Domain Admin?
I couldn't figure out why I was unable to connect to my Win 10 session hosts using the credentials I used to join the session hosts to the domain during deployment.
I see now that this account, which is part of the AAD DC Administrators group in Azure AD and AADDS, is not a member of Domain Admins in the AADDS domain, and therefore it doesn't automatically have remote desktop connection rights to the session host. Is that by design or did I do something wrong? Is it a bad idea to manually add this account to the Domain Admins group?
And how is it that standard users automatically get these remote desktop connection rights? The account that's denied access is part of the same Azure AD security group that has an assignment to the Desktop Application Group for the Host Pool. So why can an ordinary user log in but not an account with the power to join a machine to the domain?
If I recall correctly there should be a standard GPO in the AADDS domain that adds the AAD DC Admin group to the local admins of a sessionhost. It's applied on the AADDC Computers OU so perhaps you moved your VM's to another OU? Try applying that GPO there as well.
I believe it's called "AADDC Computers GPO" but I'm not sure!
- YannickJanssens1986Brass ContributorAADDS has several limitations. One of them is that you can never be a Domain Administrator in the managed domain. So you can't add that account manually either:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs#do-i-have-domain-administrator-privileges-for-the-managed-domain-provided-by-azure-ad-domain-services-- David SchragIron ContributorThat's interesting. So how do you perform administrative functions on the session hosts -- always as the local admin?
- YannickJanssens1986Brass Contributor
If I recall correctly there should be a standard GPO in the AADDS domain that adds the AAD DC Admin group to the local admins of a sessionhost. It's applied on the AADDC Computers OU so perhaps you moved your VM's to another OU? Try applying that GPO there as well.
I believe it's called "AADDC Computers GPO" but I'm not sure!