Forum Discussion
Some Question Manage user in Azure AD Domain Service
Hello
In Azure AD Domain Service i see default have some ou
in ADDC Users , i can create new user in here ? and can delete user in here ? if delete or create user in here then it can sync to Active Directory on-premier ?
Best Regards,
Thanks
Hello Tien Ngo Thanh !
When you create AAD DS and you are member of "AAD DC Admins" it has limited permissions to managed domain (no domain or enterprise admin permissions). Pretty good list what can be done is found https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-administer-domain
Last time I had a possibility to play with AAD Domain Services default permissions for those default OU's were defined so that admin were not able to create users for the OU's. Those were:
- read permissions for all objects
- write permissions for gpOptions & gpLink
Another questions was about the synchronization, it's one-way sync from on-premises to AAD Domain Services. If you create user account to own OU it will not be synced back to on-premises.
Note for managing custom OU's from docs.microsoft.com:
With a custom OU, you can go ahead and create users, groups, computers, and service accounts in this OU. You cannot move users or groups from the 'AADDC Users' OU to custom OUs.
User accounts, groups, service accounts, and computer objects that you create under custom OUs are not available in your Azure AD tenant. In other words, these objects do not show up using the Azure AD Graph API or in the Azure AD UI. These objects are only available in your Azure AD Domain Services managed domain.
2 Replies
Hello Tien Ngo Thanh !
When you create AAD DS and you are member of "AAD DC Admins" it has limited permissions to managed domain (no domain or enterprise admin permissions). Pretty good list what can be done is found https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-administer-domain
Last time I had a possibility to play with AAD Domain Services default permissions for those default OU's were defined so that admin were not able to create users for the OU's. Those were:
- read permissions for all objects
- write permissions for gpOptions & gpLink
Another questions was about the synchronization, it's one-way sync from on-premises to AAD Domain Services. If you create user account to own OU it will not be synced back to on-premises.
Note for managing custom OU's from docs.microsoft.com:
With a custom OU, you can go ahead and create users, groups, computers, and service accounts in this OU. You cannot move users or groups from the 'AADDC Users' OU to custom OUs.
User accounts, groups, service accounts, and computer objects that you create under custom OUs are not available in your Azure AD tenant. In other words, these objects do not show up using the Azure AD Graph API or in the Azure AD UI. These objects are only available in your Azure AD Domain Services managed domain.
If you do not have any admin permssions as domain admin or enterprise admin you should not be allowed to create or remove users from there. The easiest way to do it is to create it through Azure AD and after that once the user is created it will sync up to 20 minutesTien Ngo Thanh
