# (Optional) Manage AD users and groups In this step, you manage users and groups from an Amazon EC2 Amazon Linux 2 instance that's joined to the Active Delivery (AD) domain. If you followed the *automated* path, restart and log in to the AD joined instance that was created as part of the automation. If you followed the *manual* path, restart and log in to the instance that you created and joined to the AD in preceding steps. In these steps, you use the [adcli](https://www.mankier.com/package/adcli) and [openldap-clients](https://www.mankier.com/package/openldap-clients) tools that were installed in the instance as part of a preceding step. **Log in to an Amazon EC2 instance that is joined to the AD domain** 1. From the Amazon EC2 console, select the untitled Amazon EC2 instance that was created in previous steps. The instance state might be **Stopped**. 1. If the instance state is **Stopped**, choose **Instance state** and then **Start instance**. 1. After the status checks pass, select the instance and choose **Connect** and SSH in to the instance. **Manage users and groups when logged into an Amazon EC2 Amazon Linux 2 instance that's joined the AD** When you run the `adcli` commands with the ` -U "Admin"` option, you're prompted to enter the AD `Admin` password. You include the AD `Admin` password as part of the `ldapsearch` commands. 1. **Create a user.** ``` $ adcli create-user {{"clusteruser"}} --domain {{"corp.example.com"}} -U "Admin" ``` 1. **Set a user password.** ``` $ aws --region {{"region-id"}} ds reset-user-password --directory-id {{"d-abcdef01234567890"}} --user-name {{"clusteruser"}} --new-password {{"new-p@ssw0rd"}} ``` 1. **Create a group.** ``` $ adcli create-group {{"clusterteam"}} --domain {{"corp.example.com"}} -U "Admin" ``` 1. **Add a user to a group.** ``` $ adcli add-member {{"clusterteam"}} {{"clusteruser"}} --domain {{"corp.example.com"}} -U "Admin" ``` 1. **Describe users and groups.** Describe all users. ``` $ ldapsearch "(&(objectClass={{user}}))" -x -h {{"192.0.2.254"}} -b "DC={{corp}},DC={{example}},DC={{com}}" -D "CN=Admin,OU=Users,OU={{CORP}},DC={{corp}},DC={{example}},DC={{com}}" -w {{"p@ssw0rd"}} ``` Describe a specific user. ``` $ ldapsearch "(&(objectClass={{user}})(cn={{clusteruser}}))" -x -h {{"192.0.2.254"}} -b "DC={{corp}},DC={{example}},DC={{com}}" -D "CN=Admin,OU=Users,OU={{CORP}},DC={{corp}},DC={{example}},DC={{com}}" -w {{"p@ssw0rd"}} ``` Describe all users with a name pattern. ``` $ ldapsearch "(&(objectClass={{user}})(cn={{user*}}))" -x -h {{"192.0.2.254"}} -b "DC={{corp}},DC={{example}},DC={{com}}" -D "CN=Admin,OU=Users,OU={{CORP}},DC={{corp}},DC={{example}},DC={{com}}" -w {{"p@ssw0rd"}} ``` Describe all users that are part of a specific group. ``` $ ldapsearch "(&(objectClass={{user}})(memberOf=CN={{clusterteam}},OU=Users,OU={{CORP}},DC={{corp}},DC={{example}},DC={{com}}))" -x -h {{"192.0.2.254"}} -b "DC={{corp}},DC={{example}},DC={{com}}" -D "CN=Admin,OU=Users,OU={{CORP}},DC={{corp}},DC={{example}},DC={{com}}" -w {{"p@ssw0rd"}} ``` Describe all groups ``` $ ldapsearch "objectClass={{group}}" -x -h {{"192.0.2.254"}} -b "DC={{corp}},DC={{example}},DC={{com}}" -D "CN=Admin,OU=Users,OU={{CORP}},DC={{corp}},DC={{example}},DC={{com}}" -w {{"p@ssw0rd"}} ``` Describe a specific group ``` $ ldapsearch "(&(objectClass={{group}})(cn={{clusterteam}}))" -x -h {{"192.0.2.254"}} -b "DC={{corp}},DC={{example}},DC={{com}}" -D "CN=Admin,OU=Users,OU={{CORP}},DC={{corp}},DC={{example}},DC={{com}}" -w {{"p@ssw0rd"}} ``` 1. **Remove a user from a group.** ``` $ adcli remove-member {{"clusterteam"}} {{"clusteruser"}} --domain {{"corp.{{example}}.com"}} -U "Admin" ``` 1. **Delete a user.** ``` $ adcli delete-user {{"clusteruser"}} --domain {{"corp.{{example}}.com"}} -U "Admin" ``` 1. **Delete a group.** ``` $ adcli delete-group {{"clusterteam"}} --domain {{"corp.{{example}}.com"}} -U "Admin" ```