You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PaaS offers for Active Directory from AWS and Microsoft Azure do not grant administrators the needed rights to install the GPO policies at the suggested file location.
Reproduction
For AWS
Create a AWS Managed AD environment from the Directory and wait for the initial replication to complete
Create an EC2 instance and join it to the domain
Try to follow the steps in [https://github.com/ubuntu/adsys/wiki/07.-Scripts-execution] by creating the Ubuntu folder
You receive an Access Denied Error
For Azure AD DS
Create a Azure AD DS environment from the marketplace and wait for the initial replication to complete
Put one Azure AD user in the "AAD DC Administrators*" Azure AD Group
Wait for this group membership to be updated
Create an Azure VM
Join this Azure VM to the domain (do not Azure AD join it)
Try to follow the steps in [https://github.com/ubuntu/adsys/wiki/07.-Scripts-execution] by creating the Ubuntu folder
You receive an Access Denied Error
Environment
AWS Managed AD [Any SKU]
OR
Azure Active Directory Domain Services [Any SKU]
Installed versions
N/A
Additional context
AWS and Azure offer managed AD service, where you do not have access to the VMs which are the Domain Controllers of the created single-domain forest
In order to avoid corruption, you are not granted "Domain Admins" group membership but membership to specific created groups which can through delegation do many Domain Admins actions, but not all
In particular, for the SYSVOL folder:
you can create subfolders below "Policies" and "scripts"
you cannot create folders side-by-side with "Policies" and "Scripts"
The text was updated successfully, but these errors were encountered:
Hey @1Dimitri, thanks for reporting the issue! I'll mark it a feature request since it's not something that we can tackle without deeper research and quite some changes in the way we set up the project.
Does this happen only for policies that require the creation of the SYSVOL/Ubuntu directory?
Hello
Yes. The culprit is that you are not delegated enough rights in this PaaS offer to create folder at the Sysvol level.
Therefore you cannot use GPOs which need that folder (login scripts basically)
If you decided that the distribution id is no longer named "Ubuntu" but "awesomebuntu" the same problem would arise.
If you were willing to have no problem with any of those providers, the adsys client should have a way to search for scripts under the sysvol\scripts<gpoguid> folder for each gpo like the Windows native client does.
I've already asked the AWS Support to enter a feature request for the AWS Directory Service team so if you have contacts at Amazon I can provide you with the ticket number
@denisonbarbosa any updates on this? I need to execute scripts on startup, but as others have stated I do not have permissions for /SysVol/Ubuntu. Is there a way to make the adsys client check elsewhere for scripts? Or, as @1Dimitri suggested, search for scripts under SysVol/scripts ? If this isn't going to be resolved in the short term, any ideas for a work around?
Description
PaaS offers for Active Directory from AWS and Microsoft Azure do not grant administrators the needed rights to install the GPO policies at the suggested file location.
Reproduction
For AWS
For Azure AD DS
Environment
OR
Installed versions
Additional context
AWS and Azure offer managed AD service, where you do not have access to the VMs which are the Domain Controllers of the created single-domain forest
In order to avoid corruption, you are not granted "Domain Admins" group membership but membership to specific created groups which can through delegation do many Domain Admins actions, but not all
In particular, for the SYSVOL folder:
The text was updated successfully, but these errors were encountered: