Forum Discussion

Iron Contributor

Jun 01, 2021

Solved

Why is an AAD DC Administrator not a Domain Admin?

I couldn't figure out why I was unable to connect to my Win 10 session hosts using the credentials I used to join the session hosts to the domain during deployment. I see now that this account, w...

YannickJanssens1986
Jun 02, 2021
David Schrag
If I recall correctly there should be a standard GPO in the AADDS domain that adds the AAD DC Admin group to the local admins of a sessionhost. It's applied on the AADDC Computers OU so perhaps you moved your VM's to another OU? Try applying that GPO there as well.

I believe it's called "AADDC Computers GPO" but I'm not sure!

YannickJanssens1986

Brass Contributor

Jun 02, 2021

AADDS has several limitations. One of them is that you can never be a Domain Administrator in the managed domain. So you can't add that account manually either:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs#do-i-have-domain-administrator-privileges-for-the-managed-domain-provided-by-azure-ad-domain-services-

David Schrag
Iron Contributor
Jun 02, 2021
That's interesting. So how do you perform administrative functions on the session hosts -- always as the local admin?
- YannickJanssens1986
  Brass Contributor
  Jun 02, 2021
  David Schrag
  If I recall correctly there should be a standard GPO in the AADDS domain that adds the AAD DC Admin group to the local admins of a sessionhost. It's applied on the AADDC Computers OU so perhaps you moved your VM's to another OU? Try applying that GPO there as well.
  
  I believe it's called "AADDC Computers GPO" but I'm not sure!
  - Travis_78
    Iron Contributor
    Feb 01, 2024
    YannickJanssens1986 This helped me out. Thank you! Same issue, using a separate OU and didnt think to link this GPO.