Is it possible to create users in an ADDS managed domain?

Question

Is it possible to create users in an ADDS managed domain?

Markus Bauer 25

Hello,

I was wondering if it is possible to create an AADDS managed domain and create users within it.

Basically, I have a domain contoso.com that we use for our regular Azure AD users. Now i need to talk to Azure AD via LDAPS - which is possible, via an Azure AD Domain Service Managed Domain. So I go ahead and provision said Domain but I cannot create users in said domain if I try to access it via the LDAPS endpoint.

Is this something that is simply not possible? Please disregard the fact that this idea in general might not make sense, for the specific use case I have it is indeed the only option I have. (At least when it comes to doing this on Azure and not using on-prem AD)

Just to be sure once again, I read the documentation of ADDS and the very first page mentions:

You can create resources directly in the managed domain, but they aren't synchronized back to Azure AD.

Which to me suggests that this should work - keep in mind, I don't need the resources to sync back to AzureAD. I simply want to provision users in a domain managed by Azure.

Markus Bauer 25 Reputation points

2023-01-18T16:38:42.5566667+00:00

After lots of trial and error and looking around my problem seems to go a bit deeper.

So what I have is an Azure AD DS Managed Domain "contoso.com" - that is syncing all users from Azure AD.

I can join VMs to the domain controllers of said domain and I can log into the VM using my Azure AD account.

However, when using Active Directory Administrative Center I am unable to create users - or really any object - in the domain. I also cannot enable any features e.g. Recycle Bin. I am both Global Admin in the Azure Tenant, as well as Owner of the AD DS service and I am a member of the AAD DC Administrators group that is assigned to this domain.

If I try to change any feature (e.g. AD Recycle bin) I get an error that I do not have the proper permissions. Any buttons related to Creating new objects - i.e. any "Create" button is also greyed out.
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2023-01-24T04:27:52.3266667+00:00

@Markus Bauer Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Accepted answer

0 additional answers

Your answer

Markus Bauer 25 Reputation points

2023-01-18T16:38:42.5566667+00:00

After lots of trial and error and looking around my problem seems to go a bit deeper.

So what I have is an Azure AD DS Managed Domain "contoso.com" - that is syncing all users from Azure AD.

I can join VMs to the domain controllers of said domain and I can log into the VM using my Azure AD account.

However, when using Active Directory Administrative Center I am unable to create users - or really any object - in the domain. I also cannot enable any features e.g. Recycle Bin. I am both Global Admin in the Azure Tenant, as well as Owner of the AD DS service and I am a member of the AAD DC Administrators group that is assigned to this domain.

If I try to change any feature (e.g. AD Recycle bin) I get an error that I do not have the proper permissions. Any buttons related to Creating new objects - i.e. any "Create" button is also greyed out.
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2023-01-24T04:27:52.3266667+00:00

@Markus Bauer Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Answer 1

Givary-MSFT 35,621 Microsoft Employee Moderator

@Markus Bauer Thank you for reaching out to us, researched on your ask you can create users in managed domain in a custom OU. There are two OU's where AAD accounts and computers will be synced. you can't do anything there. However, you can create a custom OU and create objects in there.

Privileges required to create custom OU within managed domain.

Reference: [https://learn.microsoft.com/en-us/azure/active-directory-domain-services/administration-concepts

Let me know if you have any further questions, feel free to post back.

Markus Bauer 25 Reputation points

2023-01-20T05:26:53.2633333+00:00

Thank you Givary, I will test this.
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator

2023-01-20T05:29:35.8933333+00:00

@Markus Bauer I have tested this scenario in my lab, with the steps mentioned above, its possible to create users in the Azure ADDS Domain - Managed domain (but cannot be synced to Azure AD).

Custom OU considerations and limitations

Reference screenshot from my lab:

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Share via

Is it possible to create users in an ADDS managed domain?

0 additional answers

Your answer