So in AWS I created a Microsoft AD and managed to join a computer to the domain after changing the DHCP optionset. I then rebooted the machine and logged in as the admin account that was created with the domain, but soon realized that the admin account have very strict privileges. I can create new users and add computers to the AD, but that's about it... I can't add users to the domain admin group or even to the remote desktop users group.
Anyone know if there is any way to access the real administrator account when creating a windows active directory in AWS?
Noticed that AWS create delegated groups for you so after i added my users to the "AWS delegated administrators" group everything was fine.
As to why they lock you out of the real domain admin account and groups is beyond me though... sigh
Unfortunately, the answer to the question is "No." You do not have access to the "real" (i.e. -500) Administrator account in the hosted AWS Microsoft AD solution.
Thankfully, this limitation is clearly laid out by Amazon when researching the offering. I have not yet implemented it; we are just reviewing all of the various providers and options, and one of the first things in the FAQ for the service is a clear confirmation.
Amazon has put a lot of time in to preparing / automating this offering, and it requires a great deal of delegation of privileges and permissions so that Amazon's customer can have sufficient access to configure nearly all options of Active Directory while at the same time not allowing customer access to the AD management.
It follows that they would use these same methods to ensure best practices were being followed, specifically, that "Domain Admins" or privileged accounts used for managing AD should not be administrators on member computers.
Regardless, it makes sense - how could they properly guaranty up-time or support the offering if they granted the user the ability to hose the directory at any time?
Source: AWS Microsoft AD FAQ