Forum Discussion
Why is an AAD DC Administrator not a Domain Admin?
If I recall correctly there should be a standard GPO in the AADDS domain that adds the AAD DC Admin group to the local admins of a sessionhost. It's applied on the AADDC Computers OU so perhaps you moved your VM's to another OU? Try applying that GPO there as well.
I believe it's called "AADDC Computers GPO" but I'm not sure!
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs#do-i-have-domain-administrator-privileges-for-the-managed-domain-provided-by-azure-ad-domain-services-
If I recall correctly there should be a standard GPO in the AADDS domain that adds the AAD DC Admin group to the local admins of a sessionhost. It's applied on the AADDC Computers OU so perhaps you moved your VM's to another OU? Try applying that GPO there as well.
I believe it's called "AADDC Computers GPO" but I'm not sure!
YannickJanssens1986 This helped me out. Thank you! Same issue, using a separate OU and didnt think to link this GPO.
- Excellent catch! There is indeed a GPO called AADDC Computers GPO, applied to the AADDC Computers OU, that does just what you described. I have been putting my session hosts in a separate OU so I could apply WVD-specific policies to them. I linked the GPO to my WVD Host OU, ran gpupdate /force on a session host, and got in with my not-really-a-domain-admin account. 🙂 Thanks!
- Glad you got it sorted out!
