When you create a new domain with Managed Service for Microsoft Active Directory, some Active Directory objects are automatically created for you. These help you administer your AD domain, and make it easier to manage AD tasks typically delegated to other users or groups.
The following diagram provides an overview. Refer to the tables below for a complete list and description of each object.
Organizational units
Table 1 shows the organizational units (OU) created for you.
| Name | Description |
|---|---|
Cloud |
Hosts all your AD objects. You have full control inside this OU. |
Cloud Service Objects |
Hosts AD objects created and managed by Managed Microsoft AD. Only Google Cloud can create objects under this OU, though you can update some attributes on the pre-created objects. |
Groups
The following groups are created under the Cloud Service Objects OU.
| Name | Type | Description | |
|---|---|---|---|
Cloud Service Administrators |
Global | Members are administrators of the Managed Microsoft AD cloud service. | |
Cloud Service All Administrators |
Domain Local | Members are administrators of the Managed Microsoft AD cloud service. This can include members from trusted domains. | |
Cloud Service Computer Administrators |
Domain Local | Members are administrators on machines joined to the domain. | |
Cloud Service DNS Administrators |
Domain Local | Members can add, remove, and modify DNS entries inside the Active Directory-integrated DNS zones. | |
Cloud Service Managed Service Account Administrators |
Domain Local | Members can administer Managed Service Accounts. | |
Cloud Service Computer Remote Desktop Users |
Domain Local | Members have remote desktop rights on machines joined to the domain. | |
Cloud Service Site Administrators |
Domain Local | Members can rename Active Directory sites. | |
Cloud Service Protected Users |
Global | Protections from the Protected Users group are applied to members. | |
Cloud Service Group Policy Creator Owners |
Domain Local |
Members can create Group Policy Objects (GPOs). GPOs can only be linked
on Cloud OU and objects inside it.
|
|
Cloud Service Domain Join Accounts |
Domain Local | Members can join computers to the domain. | |
Cloud Service Fine Grained Password Policy Administrators |
Domain Local | Members can modify and assign password policies to users and groups. |
Managed Microsoft AD doesn't support providing time-limited group memberships to users by using Privileged Access Management for Active Directory Domain Services.
Group Policy Objects
Managed Microsoft AD automatically creates some Group Policy Objects (GPO) to support certain Group Policy features.
| Name | Description |
|---|---|
Cloud Service Default Computer Policy |
Linked to the Cloud OU. Grants
Cloud Service Computer Administrators local administrator
rights and Cloud Service Computer Remote Desktop Users
Remote Desktop (RDP) privileges on Cloud OU.
|
You can create custom
GPOs
and link them to the Cloud OU or to any of the child OUs within the Cloud
OU. For information about linking a GPO to an OU, see Link the GPO to the
Domain.
Password Settings Objects
Managed Microsoft AD automatically creates ten password settings objects (PSO). You cannot change the name or precedence of these PSOs. Table 4 shows the names and precedences of these PSOs.
| Name | Precedence |
|---|---|
| PSO-10 | 10 |
| PSO-20 | 20 |
| PSO-30 | 30 |
| PSO-40 | 40 |
| PSO-50 | 50 |
| PSO-60 | 60 |
| PSO-70 | 70 |
| PSO-80 | 80 |
| PSO-90 | 90 |
| PSO-100 | 100 |
Default values are assigned to the password policy settings for each PSO. You can change these values. Table 5 shows these default settings.
| Policy | Setting |
|---|---|
| Complexity enabled | True |
| Lockout duration | 30 minutes |
| Lockout observation window | 30 minutes |
| Lockout threshold | 0 |
| Maximum password age | 42 days |
| Minimum password age | 1 day |
| Minimum password length | 7 |
| Password history count | 24 |
| Reversible encryption enabled | False |
Users
Managed Microsoft AD automatically creates the users shown in table 6.
| Name | Description |
|---|---|
setupadmin (default) |
Delegated administrator account for you to manage your domain.
The name defaults to Resetting the password for a domain sets the password for this account. |
cloudsvcadmin |
Service account used by Managed Microsoft AD to manage the domain. This account is intended for use by the system and should not be directly used, modified, or deleted. |
Delegated administrator
Table 7 shows the Active Directory rights that are automatically granted to
the delegated administrator account when you provision the domain. These rights
are granted by the account's group memberships, so if you remove the account
from one of those groups, that may affect its rights and available actions. This
account has the default name setupadmin. If you changed the account name but
do not remember the value, you can
retrieve it. For more information, see
Use delegated administrator account.
The delegated administrator account doesn't have the Domain Admins,
Enterprise Admins, and BUILTIN\Administrators permissions because
Managed Microsoft AD is a managed service and Google reserves the right to
use these permissions. So you can't use Active Directory features that require
these permissions in Managed Microsoft AD, such as Distributed File System
(DFS),
DHCP,
configuring GPOs at the domain level, replicating directory changes, raising
forest functional levels, and other forest-wide changes.
| Active Directory object | Distinguished name | Delegated administrator account actions permitted on object |
|---|---|---|
| Cloud |
OU=Cloud,
|
Can perform CRUD operations for any object type under the
Can link GPO's to this OU and its sub-OU's Cannot delete or rename the OU |
| Managed Service Account container |
CN=Managed Service Accounts,
|
Can create, update, and delete group Managed Service Accounts and all related management |
| MicrosoftDNS container |
CN=MicrosoftDNS,
|
Can connect to AD-integrated DNS Server by using DNS manager. |
| DomainDNSZones folder | CN=MicrosoftDNS,
|
Can create conditional forwarders, A records, CNAME records, DNS delegation, forward lookup zones, and reverse lookup zones |
| ForestDNSZones folder | CN=MicrosoftDNS,
|
Can create conditional forwarders, A records, CNAME records, DNS delegation, forward lookup zones, and reverse lookup zones |
Delegated administrator account (default name: |
CN=<delegated-admin-name>,
|
Can change the password of the delegated administrator account that is automatically created during domain provisioning Learn more about getting this account's name and resetting its password. |
| Cloud Service Administrators |
CN=Cloud Service Administrators,
|
Can add or remove AD objects to Any accounts added to this group are granted the same set of permissions that are granted to the delegated administrator account. |
| All sites |
All sites under: CN=Sites,
|
Can change the Active Directory site name |
| All managed groups |
All Cloud managed groups under: OU=Cloud Service Objects,
|
Can add and remove AD objects from the pre-created Cloud managed groups Does not apply to the built-in Active Directory groups that are created during AD installation |
| Policies Container |
CN=Policies,
|
Can create, update, and delete Group Policy Objects Cannot edit or delete Default Domain Controller or Default Domain Policy GPOs |
| Partition Container (UPN suffixes) |
CN=Partitions,
|
Can change UPN suffixes |
| Terminal Services License Server |
CN=Terminal Server License Servers,
|
Can add Windows Servers with Terminal License Server role to the Terminal Service License Server built-in group |