Using the delegated administrator account

This topic shows how to use the Managed Service for Microsoft Active Directory delegated administrator account and manage its credentials.

Overview

When you create a Managed Service for Microsoft Active Directory domain, a delegated administrator account is automatically created for you. You can use this account to manage the domain. When you are logged into this account, you can:

  • Manage data and Active Directory objects
  • Manage other service administrators
  • Use standard Active Directory tools

Learn more about about the rights that are automatically granted to the delegated administrator account.

Getting the account name

By default, the delegated administrator account is named setupadmin. You can also specify a custom username when creating a domain. After domain creation, the username cannot be changed.

To retrieve the name of the delegated administrator account:

Console

  1. Go to the Managed Microsoft AD page in the Cloud Console.
    Go to the Managed Microsoft AD page
  2. Under FQDN, select the domain to get the delegated administrator account name for.
  3. The account name is listed under Admin name.

gcloud

Run the following command:

gcloud active-directory domains describe domain-name

The response is YAML containing information about the domain. The delegated administrator account name is listed under the managedIdentitiesAdminName field:

managedIdentitiesAdminName: setupadmin

Resetting the password

If you forget the password for the delegated administrator account, you can reset it. There is no method for retrieving an existing password.

To reset the delegated administrator password, a user must be granted the roles/managedidentities.admin or roles/managedidentities.domainAdmin IAM role, or another role granting the managedidentities.domains.resetpassword permission. See Granting, changing, and revoking access to learn more.

Console

  1. Go to the Managed Microsoft AD page in the Cloud Console.
    Go to the Managed Microsoft AD page

  2. Under FQDN, select the domain to reset the delegated administrator password for.

  3. On the Domain details page, select the Set Password.

  4. In the Set password dialog, click Confirm.

  5. The new password is displayed in the New password dialog.

gcloud

Run the following command:

gcloud active-directory domains reset-admin-password domain-name

This operation can take up to 60 seconds to complete, since it resets the password inside the domain itself.

Disabling password expiration

By default, the password for the delegated administrator account expires after 42 days.

To disable password expiration for the account, you can use the Set-ADUser PowerShell cmdlet with the -PasswordNeverExpires parameter. Learn more about the Set-ADUser cmdlet.

Using Active Directory Domain Services Tools

To access Active Directory Domain Services (AD DS) tools, you must use the delegated administrator account. When you connect to the VM instance, be sure to log in with the delegated administrator account. You cannot switch accounts after connecting to the VM or provide additional credentials. After connecting to the VM, you can use the Add Roles and Features Wizard to enable the AD DS tools. Learn more about enabling AD DS tools.

Creating a UPN suffix

The names of the current domain and the root domain are the default user principal name (UPN) suffixes. Adding alternative domain names provides additional security and simplifies user login names.

To create a UPN suffix:

  1. Connect to the VM instance with the delegated administrator account.
  2. Open Server Manager.
  3. From Tools, select Active Directory Domains and Trusts.
  4. In the Active Directory Domains and Trusts management console, right-click Active Directory Domains and Trusts in the left pane, and then select Properties.
  5. In the dialog box, in the Alternate UPN suffixes box, type the name of the new UPN suffix.
  6. Click Add, and then click OK.

When you add a new user account to Active Directory, you should see the new UPN suffix available in the list when setting the username.