Manage Active Directory objects

This page describes how to manage the Active Directory objects in your Managed Service for Microsoft Active Directory domain.

Before you begin

Before managing your Active Directory objects, you should complete the following steps:

Install RSAT

To manage the Active Directory objects, you need to install RSAT only once on every Managed Microsoft AD domain.

To install RSAT, complete the following steps:

  1. Connect to the Windows VM.

  2. On the Windows VM, open the Add Roles and Features Wizard.

  3. In the Add Roles and Features Wizard, navigate to the Select features page. You can either select Features from the sidebar menu or click Next until you view the Select features page.

  4. On the Select features page, expand Remote Server Administration Tools from the Features list, and then expand Role Administration Tools.

  5. Under Role Administration Tools, select AD DS and AD LDS Tools. This enables the following features:

    • Active Directory module for Windows PowerShell
    • AD LDS Snap-Ins and Command-Line Tools
    • Active Directory Administrative Center
    • AD DS Snap-Ins and Command-Line Tools

  6. Optional: If you want, you can enable the following features as well:

    • Group Policy Management
    • DNS Server Tools (under Role Administration Tools)

  7. Click Next.

  8. On the Confirmation page, click Install.

  9. On the Results page, click Close.

Manage objects

For security reasons, you cannot directly access the domain controller using either Remote Desktop Protocol (RDP) or any other tools. Instead, you can connect to a domain-joined VM using RDP and use the standard AD tools to work remotely with the Active Directory objects in your domain.

To manage your Active Directory objects, complete the following steps:

  1. Connect to the Windows VM that you have joined with the Managed Microsoft AD domain. For more information, see Connect to Windows VMs using RDP.

  2. Open the Active Directory Users and Computers console (dsa.msc).

  3. Select the Active Directory domain name, and expand the item.

  4. To manage your Active Directory objects, use the organizational units (OU) provided by Managed Microsoft AD. Although you have full control of the objects in the Cloud OU, you can update only some attributes of the objects in the Cloud Service Objects OU.

You must have necessary permissions to manage your Active Directory objects. For information about which users have permissions on which Active Directory objects, see Default Active Directory objects.

You can perform only a few Active Directory administrative tasks on your domain such as creating trust, extending the schema, and disabling SID filtering. You need to use the Google Cloud console, gcloud CLI, or APIs to perform these tasks, and not the standard AD tools.

Organizational units

Managed Microsoft AD provides two OUs, Cloud and Cloud Service Objects.

Managed Microsoft AD creates Cloud in your Managed Microsoft AD domain to host all of your AD objects. You have full administrative access to this OU. You can use the Cloud OU to create users, groups, computers, or further sub-OUs.

The Cloud Service Objects OU hosts AD objects that Managed Microsoft AD creates and manages. Only Google Cloud can create objects under this OU, but you can update some of their attributes.

For more information about the groups under the Cloud Service Objects OU, see Groups.

You can manage only the Cloud and Cloud Service Objects OUs. Managed Microsoft AD reserves Active Directory object creation for other OUs. This provides the added benefit of increased security, and helps you to administer AD policies that apply to OUs.