Accessing GPO and ADUC interface for Azure AD Domain Services (AADDS)

Microsoft Azure

Since Microsoft released a preview version for the Azure AD Domain Services there have been a number of posts asking how to actually manage it and how to access things like GPO and ADUC. Since it’s a very new service there isn’t any how to’s (or i haven’t been able to find them) so here is a quick one:

You first need to deploy the AADDS, but please keep in mind that as of writing this post it’s only available in the US. I am not going to repeat this part as there is a nice post on technet:

http://blogs.technet.com/b/ad/archive/2015/10/14/azure-ad-domain-services-is-now-in-public-preview-use-azure-ad-as-a-cloud-based-domain-controller.aspx#pi168980=3

*Please note that if you are creating a test environment you probably are not going to configure password replication so your username will not work. Easiest way to fix this is to create a “New user in your organization” and add them to the “aad dc administrators” group.

Once you have a AADDC (Azure Active Directory Domain Controller), you will need a virtual machine in the same network or a network which has vnet to vnet VPN with it. Once the VM is up you need to join it to the domain with an account from the “aad dc administrators” group. Once joined you should have Administrators access with the same account you joined it to the domain with. If not please log in with the local account and run “gpupdate /force”. This is because in the AADDS your are not part of Domain Admins, so there is a default GPO which adds “aad dc administrators” as administrators on all domain joined computers.

To use the two features mentioned below you need to log in with a member of the “aad dc administrators” group.

GPO Administration:

To administer GPOs you need to add the Group Policy Management Feature to the machine above:

gpfea

Once installed you can open the tool and you will see the below default GPOs. Please note that currently you can only edit the two GPOs highlighted in yellow, you also can’t add any filtering to the GPOs or create additional once. You will also not be able to add additional ADMX templates (the 2012  R2 defaults are available)

gpo

 

ADUC Administration:

Please note that you have very limited rights in the ADUC. Currently you can only modify certain things in the “AADDC Computers” OU like Adding , Disabling, Resetting, Deleting computer objects.

To administer ADUC you need to add the ADUC Feature to the machine above:

aducadd

 

As mentioned above currently you are very limited to what you can actually do but as a side note any groups or users you add from the Azure management portal to the Directory will appear in the “AADDC Users” OU.

azureaduc

3 thoughts on “Accessing GPO and ADUC interface for Azure AD Domain Services (AADDS)

  1. Has this offering progressed to the point where we can simply have a cloud only Directory/Domain Service? Such that a small company of say less than 20 people could join all of their PC’s/Laptops to the Azure Domain and utilize group policy to force some settings to the machines. Most of the employees work from home so VPN Connections are doable but it would be really nice if you could just point your DNS to the Azure cloud and authenticate with the Domain Controller like you would in a typical domain environment. No need for file sharing or print services just Active Directory with Group Policy to ensure we can lock the machines down enough for compliance reasons. Would be great if we could even use the GPO for Bitlocker as well.

  2. Hello Jeff,

    Thanks for your comment, the first thing you should be aware of is that AADDS is still in preview mode meaning it’s not covered by SLA and still under development, i would not recommend using it for a production environment until it becomes GA. However what you are asking for should be possible and i think the bitlocker template was included but i am not 100% sure you may need to double check. There are a couple of things that you need to be aware of, the first is that the domain controller has no public ip address but a private ip from the VNET/Subnet you created so in order for you to be able to join computers to the domain they need to be connected to the VNET.
    They also need to be connected to the VNET at logon in order for the GPOs to be applied.

    There are two way you can do it:

    The first is using a Point to site VPN, but you will need to configure the computer to establish a connection before logon, there is a good article about it here http://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/. I would recommend this, but i have never tested it in theory it should work.

    The second way is to create a site-to-site vpn, but you will need a route-based vpn device and the cheapest way i can think of doing this is to purchase a HP micro server, they start around 200 pounds and install server 2012 R2 for the VPN alternately you could go for a juniper srx100 they start around 300 pounds and overall cheaper if you don’t have a Windows Server 2012 R2 license. But this is a more complex solution which i would not recommend for single users.

Leave a Reply

Your email address will not be published. Required fields are marked *