LogoLogo
  • Welcome to WorkSpaces Manager
  • Overview
    • Change Log
      • Stable
      • Beta
    • Portal Requirements
      • Software Requirements
      • Hardware Requirements
    • Installation Prerequisites
      • Active Directory Service Account
      • Amazon WorkSpaces Cost Optimizer
      • CloudWatch Log Group & Eventbridge Rule
      • Port Requirements
      • AWS Service Endpoints
    • Installation Procedure
      • Subscribe to WorkSpaces Manager License Key
      • Request a License Key
      • Subscribe to WorkSpaces Manager Appliance
      • Deploy WorkSpaces Manager Appliance via CloudFormation
      • Configure WorkSpaces Manager
    • Upgrade Procedures
      • From Version 5
      • WSM Update Tool
      • Latest Version Updates
    • Alternate deployment options
      • Install manually on EC2
      • Deployment from Shared AMI
        • Security Group
        • IAM Requirements: Custom Policies
        • IAM Requirements: Role and EC2 instance profile
        • Shared AMI (Amazon Machine Image)
      • Create AMI via Packer
      • Deploy an RDS Database via Terraform
    • WorkSpaces Performance Monitor Agent
    • High Availability (HA)
    • Appendices
      • Administrator Active Directory Permissions
      • SES Configuration
      • HTTPS/TLS Encryption
      • Friendly Portal URL Address
      • GPO and values for WorkSpaces Performance Monitor Agent
      • GPO and value for Disconnection after idle time
      • IAM Policies in JSON format
      • AWS CLI v2
      • LDAP (Active Directory) Troubleshooting for WSM
      • RDS Database Options
Powered by GitBook
On this page
  1. Overview
  2. Appendices

Administrator Active Directory Permissions

To administer user accounts, groups, and computers in Active Directory (whether globally or within selected Organizational Units (OUs)), refer to the following table for the key details:

Operation
Permissions Needed

User Management

Create Users

To perform administrative tasks in Active Directory, the following permissions or group memberships are required:

  • You must be a member of the built-in Administrators group or the Account Operators group, OR

  • You must have specific permissions to create, delete, and manage user accounts or equivalent permissions within the relevant Organizational Unit (OU) or container in Active Directory.

These permissions ensure you have the necessary rights to manage user accounts, groups, and computers in the designated areas of the directory.

Modify Users

  • You must be a member of the built-in Administrators group or the Account Operators group, OR

  • You must have the necessary permissions to create, delete, and manage user accounts or equivalent permissions within the relevant Organizational Unit (OU) or container in Active Directory.

Note: It is also possible to grant permissions to modify specific attributes of an object, rather than granting full control over the entire object. This allows for more granular control over what aspects of the user accounts or other objects can be changed.

Delete Users

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the necessary permissions to create, delete, and manage user accounts or equivalent permissions within the relevant Organizational Unit (OU) or container in Active Directory.

Computer Management

Create Computers

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Computer Objects – Create selected objects in this folder’ permission, or an equivalent permission within the relevant Organizational Unit (OU) or container in Active Directory.

Modify Computers

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Computer Objects – Create selected objects in this folder: with write permission’, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.

Delete Computers

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Computer Objects – Delete selected objects’ permission, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.

Group Management

Create Groups

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Create, manage, and delete user groups’ permission, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.

Modify Groups

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Create, manage, and delete user groups’ permission, or an equivalent permission in the relevant Organizational Unit (OU) or container in Active Directory.

Delete Groups

  • Must be a member of the built-in Administrators group or the Account Operators group, OR

  • Must have the ‘Create, manage, and delete user groups’ permission, or an equivalent permission within the relevant Organizational Unit (OU) or container in Active Directory.

PreviousAppendicesNextSES Configuration

Last updated 6 months ago