When adding the AD Service Account to support AWS WorkSpaces you will have to provide an account with permissions to create computer objects within AD to the OU specified at the time.

• See Administrator Active Directory Permissions for details

We recommend using the same service account and providing additional permissions to delete computer objects. Through the Management Portal when a WorkSpace is terminated, the sysem will then be able to remove the orphaned computer object.

The AD service account is also used to create user accounts and add/remove users from AD groups if the application management option is used.

Using Active Directory Users and Computers, you can delegate the administration of an Organizational Unit to user or group that may not otherwise have the administration permissions.

To do this, follow these steps:
1. On your domain controller, click Start and point to Administrative Tools
2. Click on Active Directory Users and Computers
3. In Active Directory Users & Computers, select the OU to delegate administration
4. Right click the OU and click on Delegate Control. This will start the delegation control wizard
5. In select User Account window, click Add
6. Find the correct User or group and double click
7. Click OK
8. In Tasks to Delegate window, choose the permissions to assign and click Next
9. Review the summary and click Finish

Delegate policy-related permissions on a domain, OU, or site using GPMC:

Delegating Administration of Account and Resource OUs:


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment