Creating an AWS Managed Microsoft AD user

Use the following procedure to create a new AWS Managed Microsoft AD user with user and group management or AWS Directory Service Data in either the AWS Management Console or AWS CLI.

Before you begin either procedure, you need to complete the following:

To use user and group management or AWS Directory Service Data CLI, it must be enabled. For more information, see Enable user and group management or Directory Service Data.
You can only enable this feature from the Primary AWS Region for your directory. For more information, see Primary vs additional Regions.
You'll need the necessary IAM permissions to use AWS Directory Service Data. For more information, see AWS Directory Service API permissions: Actions, resources, and conditions reference. To get started granting permissions to your users and workloads, you can use AWS managed policies like AWSDirectoryServiceDataFullAccess or AWSDirectoryServiceDataReadOnlyAccess. For more information, see Security best practices in IAM.

AWS Management Console

You can create a new AWS Managed Microsoft AD user account in the AWS Management Console. When you create a new user account, you specify the new user's details and determine whether to add the new user to a group or copy another user's group memberships into the new user.

For more information, see AWS Directory Service Data attributes and Group type and group scope.

To create an AWS Managed Microsoft AD user with the AWS Management Console

Open the AWS Directory Service console at https://console.aws.amazon.com/directoryservicev2/.
From the navigation pane, choose Active Directory, and then choose Directories. You're directed to the Directories screen where you can view a list of directories in your AWS Region.
Choose a directory. You're directed to the Directory details screen.
On the Directory details page, under the Users section, choose Create users account.
The Specify user details page opens. Under the Required information section, enter a user logon name and password. User logon names must meet the following conditions:
- Must be a unique logon name
- Can be up to 20 characters long
- Can only contain alphanumeric characters
- Cannot contain any of the following characters: / [ ] : ; | , + * ? < > @
- The password must adhere to your password policy requirements. Check with your AWS administrator for more information.
Warning
The user logon name cannot be changed after the user is created.
1. (Optional) Under the Primary information section, you can enter a first and last name for the user. You can also enter a display name and description for the user.
2. (Optional) Under the Contact methods section, you can enter an email address and telephone numbers for the user.
3. (Optional) Under the Job-related information section, you can enter a department, manager, office, and company for the user.
4. (Optional) Under the Address section, you can enter an address for the user.
5. (Optional) Under the Account settings section, you can enter notes, a preferred language, and service principal name for the user.
  
  For more information on user attributes, see AWS Directory Service Data attributes and Microsoft documentation.
Choose Next once you've provided the user account details.
On the Add users to groups - optional page, you can add the user to a new group or to an existing group. You can also copy the group membership of an existing user to the new user. If you don't want to add a user to a group, choose Next. Move to Step 12 to continue this procedure.
(Optional) To create a new group, see Create a AWS Managed Microsoft AD group.
(Optional) To add a new user to an existing group:
1. Select the group you want to add the new user to in the Groups section. To find groups, enter the group name in the search box.
(Optional) To copy the group membership of an existing user to a new user:
1. Choose the Copy group membership from user tab. To find a user with a group membership you want to copy, enter the user logon name in the search box under the Users section.
2. In the Selected groups section, select the groups the new user should become a member of.
Choose Next when you're ready to create the new user account.
On the Review and create user page, review all the choices you made. Choose Create user.
After the user is configured, you've taken to the new user's details page. A banner appears stating the user was successfully created.

Important

If you receive an error message telling you that you don't have permission to create a user, follow the instructions in the error message to request that your administrator grant you access.

AWS CLI

The following describes how to format a request that creates a new AWS Managed Microsoft AD user account with the AWS Directory Service Data CLI. You must include your directory ID number and a user logon name in your request. You can also include other attributes, such as a user display name with the DisplayName attribute. For more information, see AWS Directory Service Data attributes and Group type and group scope.

To create an AWS Managed Microsoft AD user with AWS CLI

Open the AWS CLI, and run the following command, replacing the Directory ID, username, and display name with your AWS Managed Microsoft AD Directory ID and desired credentials:


aws ds-data create-user --directory-id d-1234567890 --sam-account-name "jane.doe" --other-attributes '{ "DisplayName": { "S": "jane.doe"} }'

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Enabling or disabling AWS Directory Service Data

Viewing and updating a user