AWS Managed AD and Azure AD DS are not supported

Question

AWS Managed AD and Azure AD DS are not supported

1Dimitri opened this issue 2 years ago · 4 comments

Description

PaaS offers for Active Directory from AWS and Microsoft Azure do not grant administrators the needed rights to install the GPO policies at the suggested file location.

Reproduction

For AWS

Create a AWS Managed AD environment from the Directory and wait for the initial replication to complete
Create an EC2 instance and join it to the domain
Try to follow the steps in [https://github.com/ubuntu/adsys/wiki/07.-Scripts-execution] by creating the Ubuntu folder
You receive an Access Denied Error

For Azure AD DS

Create a Azure AD DS environment from the marketplace and wait for the initial replication to complete
Put one Azure AD user in the "AAD DC Administrators*" Azure AD Group
Wait for this group membership to be updated
Create an Azure VM
Join this Azure VM to the domain (do not Azure AD join it)
Try to follow the steps in [https://github.com/ubuntu/adsys/wiki/07.-Scripts-execution] by creating the Ubuntu folder
You receive an Access Denied Error

Environment

AWS Managed AD [Any SKU]
OR
Azure Active Directory Domain Services [Any SKU]

Installed versions

N/A

Additional context

AWS and Azure offer managed AD service, where you do not have access to the VMs which are the Domain Controllers of the created single-domain forest
In order to avoid corruption, you are not granted "Domain Admins" group membership but membership to specific created groups which can through delegation do many Domain Admins actions, but not all

In particular, for the SYSVOL folder:

you can create subfolders below "Policies" and "scripts"
you cannot create folders side-by-side with "Policies" and "Scripts"

Answer 1 · 2023-06-19T14:08:55.000Z

any update on this? we are facing the same issue.

Answer 2 · 2023-06-21T15:28:12.000Z

Hey @1Dimitri, thanks for reporting the issue! I'll mark it a feature request since it's not something that we can tackle without deeper research and quite some changes in the way we set up the project.
Does this happen only for policies that require the creation of the SYSVOL/Ubuntu directory?

Answer 3 · 2023-06-22T13:33:00.000Z

Hello
Yes. The culprit is that you are not delegated enough rights in this PaaS offer to create folder at the Sysvol level.
Therefore you cannot use GPOs which need that folder (login scripts basically)
If you decided that the distribution id is no longer named "Ubuntu" but "awesomebuntu" the same problem would arise.
If you were willing to have no problem with any of those providers, the adsys client should have a way to search for scripts under the sysvol\scripts<gpoguid> folder for each gpo like the Windows native client does.

I've already asked the AWS Support to enter a feature request for the AWS Directory Service team so if you have contacts at Amazon I can provide you with the ticket number

Answer 4 · 2024-09-10T20:15:02.000Z

@denisonbarbosa any updates on this? I need to execute scripts on startup, but as others have stated I do not have permissions for /SysVol/Ubuntu. Is there a way to make the adsys client check elsewhere for scripts? Or, as @1Dimitri suggested, search for scripts under SysVol/scripts ? If this isn't going to be resolved in the short term, any ideas for a work around?