none
Account policies on an AWS DC

    Question

  • Due to AWS limitations my user account is a local admin on a DC but not a domain admin. For that reason I can't edit the Default GPO nor the Default Domain Controllers GPO. I can't add any new policy to the root of the domain nor to the Domain Controllers container. I checked ADAC but again no access to Password Settings Container. I create and link GPOs to other OUs though. I tried creating a password controlling policy and linking it to the Users and to Computers OUs but it doesn't seem to apply.

    yaro

    Tuesday, January 03, 2017 10:25 AM

All replies

  • > my user account is a local admin on a DC but not a domain admin.
     
    Then go add yourself to DA group.
     
    Tuesday, January 03, 2017 11:15 AM
  • It's not that simple I'm afraid. The DA group is restricted on AWS so no account can be added to it.

    yaro

    Tuesday, January 03, 2017 2:55 PM
  • > It's not that simple I'm afraid. The DA group is restricted on AWS so no account can be added to it.
     
    Hm. If you are a local administrator, nothing can restrict you. But since I never ran a DC in AWS, I'll shut up right now :-)
     
    Tuesday, January 03, 2017 4:31 PM
  • It's quite new to me as well so the limitations are very frustrating. Even more when users keep reporting their passwords expire too quickly and once they do they can't change them by themselves.

    yaro

    Tuesday, January 03, 2017 7:31 PM
  • Hi yaro,
    As AWS is in involved in this case, I doubt that it could be answered in the group policy forum. No matter account policy or password policy, domain admin permission is needed in ADDS, you might need to contact AWS support team and check if any method could be used to avoid the limitation of adding account into DA.
    Thank you for the understanding.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 04, 2017 3:14 AM
    Moderator
  • AWS or not I was rather hoping to get a workaround. It's still Microsoft AD. From posts I've see looks like it isn't even clear whether an aditional password policy should be applied on Computers OU or Default Domain Controllers.

    yaro

    Wednesday, January 04, 2017 7:23 PM
  • Hi,

    Password policies can be applied only for the whole domain, not OU. If you need to use separate password policies, then you could have a try fine-grained password policies (FGPP), it allows you to specify multiple password policies within a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain. Please see: https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 09, 2017 3:12 AM
    Moderator
  • Thanks Wendy but without domain admin privileges fine grained password policies won't work.

    yaro

    Friday, January 13, 2017 10:35 AM
  • Hi,
    Yes, you are right, admin rights are needed in the case.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 16, 2017 3:26 AM
    Moderator