I have AWS Managed Microsoft AD deployed in one region across two availability zones.
In Active Directory Users and Computers, the default Admin user was created by AWS and is what I have been using to login and manage the Windows Servers.
When I click on Member Of, I see that Admin is a member of:
- AWS Delegated Administrators
- Domain Users
The issue is that this user is not a member of Domain Admin and I receive some errors. For example, when trying to sign a CSR in certsrv, I receive the following message.
The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012. Denied by Policy Module.
To resolve the issue, when I go to Admin in Active Directory Users and Computers, click on Member Of, click on Add, enter Domain Admins, and click Apply, I receive the following error message.
You do not have permission to modify the group /Users/Domain Admins.
In summary, the issues are:
- I encounter permission errors when making modifications to certain functions and features
- When I try to add the
Adminuser toDomain Admins, I receive a permissions error
How can I solve this?