When adding the AD Service Account to support AWS WorkSpaces you will have to provide an account with permissions to create computer objects within AD to the OU specified at the time.
• See Administrator Active Directory Permissions for details
We recommend using the same service account and providing additional permissions to delete computer objects. Through the Management Portal when a WorkSpace is terminated, the sysem will then be able to remove the orphaned computer object.
The AD service account is also used to create user accounts and add/remove users from AD groups if the application management option is used.
Using Active Directory Users and Computers, you can delegate the administration of an Organizational Unit to user or group that may not otherwise have the administration permissions.
To do this, follow these steps:
1. On your domain controller, click Start and point to Administrative Tools
2. Click on Active Directory Users and Computers
3. In Active Directory Users & Computers, select the OU to delegate administration
4. Right click the OU and click on Delegate Control. This will start the delegation control wizard
5. In select User Account window, click Add
6. Find the correct User or group and double click
7. Click OK
8. In Tasks to Delegate window, choose the permissions to assign and click Next
9. Review the summary and click Finish
Delegate policy-related permissions on a domain, OU, or site using GPMC:
Delegating Administration of Account and Resource OUs: