SOLVED

Why is an AAD DC Administrator not a Domain Admin?

%3CLINGO-SUB%20id%3D%22lingo-sub-2406082%22%20slang%3D%22en-US%22%3EWhy%20is%20an%20AAD%20DC%20Administrator%20not%20a%20Domain%20Admin%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2406082%22%20slang%3D%22en-US%22%3E%3CP%3EI%20couldn't%20figure%20out%20why%20I%20was%20unable%20to%20connect%20to%20my%20Win%2010%20session%20hosts%20using%20the%20credentials%20I%20used%20to%20join%20the%20session%20hosts%20to%20the%20domain%20during%20deployment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see%20now%20that%20this%20account%2C%20which%20is%20part%20of%20the%20AAD%20DC%20Administrators%20group%20in%20Azure%20AD%20and%20AADDS%2C%20is%20not%20a%20member%20of%20Domain%20Admins%20in%20the%20AADDS%20domain%2C%20and%20therefore%20it%20doesn't%20automatically%20have%20remote%20desktop%20connection%20rights%20to%20the%20session%20host.%20Is%20that%20by%20design%20or%20did%20I%20do%20something%20wrong%3F%20Is%20it%20a%20bad%20idea%20to%20manually%20add%20this%20account%20to%20the%20Domain%20Admins%20group%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20how%20is%20it%20that%20standard%20users%20automatically%20get%20these%20remote%20desktop%20connection%20rights%3F%20The%20account%20that's%20denied%20access%20is%20part%20of%20the%20same%20Azure%20AD%20security%20group%20that%20has%20an%20assignment%20to%20the%20Desktop%20Application%20Group%20for%20the%20Host%20Pool.%20So%20why%20can%20an%20ordinary%20user%20log%20in%20but%20not%20an%20account%20with%20the%20power%20to%20join%20a%20machine%20to%20the%20domain%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2406976%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20an%20AAD%20DC%20Administrator%20not%20a%20Domain%20Admin%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2406976%22%20slang%3D%22en-US%22%3EAADDS%20has%20several%20limitations.%20One%20of%20them%20is%20that%20you%20can%20never%20be%20a%20Domain%20Administrator%20in%20the%20managed%20domain.%20So%20you%20can't%20add%20that%20account%20manually%20either%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Ffaqs%23do-i-have-domain-administrator-privileges-for-the-managed-domain-provided-by-azure-ad-domain-services-%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Ffaqs%23do-i-have-domain-administrator-privileges-for-the-managed-domain-provided-by-azure-ad-domain-services-%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2408189%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20an%20AAD%20DC%20Administrator%20not%20a%20Domain%20Admin%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2408189%22%20slang%3D%22en-US%22%3EThat's%20interesting.%20So%20how%20do%20you%20perform%20administrative%20functions%20on%20the%20session%20hosts%20--%20always%20as%20the%20local%20admin%3F%3C%2FLINGO-BODY%3E
Contributor

I couldn't figure out why I was unable to connect to my Win 10 session hosts using the credentials I used to join the session hosts to the domain during deployment.

 

I see now that this account, which is part of the AAD DC Administrators group in Azure AD and AADDS, is not a member of Domain Admins in the AADDS domain, and therefore it doesn't automatically have remote desktop connection rights to the session host. Is that by design or did I do something wrong? Is it a bad idea to manually add this account to the Domain Admins group?

 

And how is it that standard users automatically get these remote desktop connection rights? The account that's denied access is part of the same Azure AD security group that has an assignment to the Desktop Application Group for the Host Pool. So why can an ordinary user log in but not an account with the power to join a machine to the domain?

5 Replies
AADDS has several limitations. One of them is that you can never be a Domain Administrator in the managed domain. So you can't add that account manually either:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs#do-i-have-domain-admini...


That's interesting. So how do you perform administrative functions on the session hosts -- always as the local admin?
best response confirmed by David Schrag (Contributor)
Solution

@David Schrag 

If I recall correctly there should be a standard GPO in the AADDS domain that adds the AAD DC Admin group to the local admins of a sessionhost.  It's applied on the AADDC Computers OU so perhaps you moved your VM's to another OU? Try applying that GPO there as well.

 

 I believe it's called "AADDC Computers GPO" but I'm not sure!

 

Excellent catch! There is indeed a GPO called AADDC Computers GPO, applied to the AADDC Computers OU, that does just what you described. I have been putting my session hosts in a separate OU so I could apply WVD-specific policies to them. I linked the GPO to my WVD Host OU, ran gpupdate /force on a session host, and got in with my not-really-a-domain-admin account. :) Thanks!
Glad you got it sorted out!