Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Managed AD and Azure AD DS are not supported #712

Open
1Dimitri opened this issue May 26, 2023 · 3 comments
Open

AWS Managed AD and Azure AD DS are not supported #712

1Dimitri opened this issue May 26, 2023 · 3 comments
Labels
enhancement New feature or request jira Import to Jira

Comments

@1Dimitri
Copy link

Description

PaaS offers for Active Directory from AWS and Microsoft Azure do not grant administrators the needed rights to install the GPO policies at the suggested file location.

Reproduction

For AWS

  1. Create a AWS Managed AD environment from the Directory and wait for the initial replication to complete
  2. Create an EC2 instance and join it to the domain
  3. Try to follow the steps in [https://github.com/ubuntu/adsys/wiki/07.-Scripts-execution] by creating the Ubuntu folder
  4. You receive an Access Denied Error

For Azure AD DS

  1. Create a Azure AD DS environment from the marketplace and wait for the initial replication to complete
  2. Put one Azure AD user in the "AAD DC Administrators*" Azure AD Group
  3. Wait for this group membership to be updated
  4. Create an Azure VM
  5. Join this Azure VM to the domain (do not Azure AD join it)
  6. Try to follow the steps in [https://github.com/ubuntu/adsys/wiki/07.-Scripts-execution] by creating the Ubuntu folder
  7. You receive an Access Denied Error

Environment

  • AWS Managed AD [Any SKU]
    OR
  • Azure Active Directory Domain Services [Any SKU]

Installed versions

  • N/A

Additional context

AWS and Azure offer managed AD service, where you do not have access to the VMs which are the Domain Controllers of the created single-domain forest
In order to avoid corruption, you are not granted "Domain Admins" group membership but membership to specific created groups which can through delegation do many Domain Admins actions, but not all

In particular, for the SYSVOL folder:

  • you can create subfolders below "Policies" and "scripts"
  • you cannot create folders side-by-side with "Policies" and "Scripts"
@enidevops
Copy link

any update on this? we are facing the same issue.

@denisonbarbosa
Copy link
Member

Hey @1Dimitri, thanks for reporting the issue! I'll mark it a feature request since it's not something that we can tackle without deeper research and quite some changes in the way we set up the project.
Does this happen only for policies that require the creation of the SYSVOL/Ubuntu directory?

@denisonbarbosa denisonbarbosa added enhancement New feature or request jira Import to Jira labels Jun 21, 2023
@1Dimitri
Copy link
Author

Hello
Yes. The culprit is that you are not delegated enough rights in this PaaS offer to create folder at the Sysvol level.
Therefore you cannot use GPOs which need that folder (login scripts basically)
If you decided that the distribution id is no longer named "Ubuntu" but "awesomebuntu" the same problem would arise.
If you were willing to have no problem with any of those providers, the adsys client should have a way to search for scripts under the sysvol\scripts<gpoguid> folder for each gpo like the Windows native client does.

I've already asked the AWS Support to enter a feature request for the AWS Directory Service team so if you have contacts at Amazon I can provide you with the ticket number

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request jira Import to Jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@denisonbarbosa @1Dimitri @enidevops