Automatically created AD objects

When you create a new domain with Managed Service for Microsoft Active Directory, some Active Directory objects are automatically created for you. These help you administer your AD domain, and make it easier to manage AD tasks typically delegated to other users or groups.

The following diagram provides an overview. Refer to the tables below for a complete list and description of each object.

AD groups

Organizational units

Table 1 shows the organizational units (OU) created for you.

Table 1. Organizational units
Name Description
Cloud Hosts all your AD objects. You have full control inside this OU.
Cloud Service Objects Hosts AD objects created and managed by Managed Microsoft AD. Only Google Cloud can create objects under this OU, though you can update some attributes on the pre-created objects.

Groups

The following groups are created under the Cloud Service Objects OU.

Table 2. Groups in Cloud Service Objects OU
Name Type Description
Cloud Service Administrators Global Members are administrators of the Managed Microsoft AD cloud service.
Cloud Service All Administrators Domain Local Members are administrators of the Managed Microsoft AD cloud service. This can include members from trusted domains.
Cloud Service Computer Administrators Domain Local Members are administrators on machines joined to the domain.
Cloud Service DNS Administrators Domain Local Members can add, remove, and modify DNS entries inside the Active Directory-integrated DNS zones. .
Cloud Service Managed Service Account Administrators Domain Local Members can administer Managed Service Accounts.
Cloud Service Computer Remote Desktop Users Domain Local Members have remote desktop rights on machines joined to the domain.
Cloud Service Site Administrators Domain Local Members can rename Active Directory sites.
Cloud Service Protected Users Global Protections from the Protected Users group are applied to members.
Cloud Service Group Policy Creator Owners Domain Local Members can create Group Policy Objects (GPOs). GPOs can only be linked on Cloud OU and objects inside it.
Cloud Service Domain Join Accounts Domain Local Members can join computers to the domain.

Group Policy Objects

Managed Microsoft AD automatically creates some Group Policy Objects (GPO) to support certain Group Policy features.

Table 3. Group policy objects
Name Description
Cloud Service Default Computer Policy Linked to the Cloud OU. Grants Cloud Service Computer Administrators local administrator rights and Cloud Service Computer Remote Desktop Users Remote Desktop (RDP) privileges on Cloud OU.

Users

Managed Microsoft AD automatically creates the users shown in table 4.

Table 4. Users
Name Description
setupadmin (default)

Delegated administrator account for you to manage your domain. The name defaults to setupadmin; you can specify a different name during domain creation.

Running the command to reset the password for a domain sets the password for this account.

cloudsvcadmin Service account used by Managed Microsoft AD to manage the domain. This account is intended for use by the system and should not be directly used, modified, or deleted.

Delegated administrator

Table 5 shows the Active Directory rights that are automatically granted to the delegated administrator account when you provision the domain. These rights are granted by the account's group memberships, so if you remove the account from one of those groups, that may affect its rights and available actions. This account has the default name setupadmin. If you changed the account name but do not remember the value, you can retrieve it. Learn more about using the delegated administrator account.

Table 5. Delegated administrator account rights
Active Directory object Distinguished name Delegated administrator account actions permitted on object
Cloud OU=Cloud,DC=<domain-name>

Can perform CRUD operations for any object type under the Cloud OU

Can link GPO's to this OU and its sub-OU's

Cannot delete or rename the OU

Managed Service Account container CN=Managed Service Accounts, DC=<domain-name> Can create, update, and delete group Managed Service Accounts and all related management
MicrosoftDNS container CN=MicrosoftDNS,CN=System, DC=<domain-name> Can connect to AD-integrated DNS Server by using DNS manager.
DomainDNSZones folder CN=MicrosoftDNS, DC=DomainDNSZones,DC=<domain-name> Can create conditional forwarders, A records, CNAME records, DNS delegation, forward lookup zones, and reverse lookup zones
DomainDNSZones folder CN=MicrosoftDNS, DC=ForestDNSZones,DC=<domain-name> Can create conditional forwarders, A records, CNAME records, DNS delegation, forward lookup zones, and reverse lookup zones

Delegated administrator account

(default name: setupadmin)

CN=<delegated-admin-name>, OU=Cloud Service Objects,DC=<domain-name>

Can change the password of the delegated administrator account that is automatically created during domain provisioning

Learn more about getting this account's name and resetting its password.

Cloud Service Administrators CN=Cloud Service Administrators, OU=Cloud Service Objects, DC=<domain-name>

Can add or remove AD objects to Cloud Service Administrators managed group

Any accounts added to this group are granted the same set of permissions that are granted to the delegated administrator account.

All sites All sites under: CN=Sites,CN=Configuration, DC=<domain-name> Can change the Active Directory site name
All managed groups All Cloud managed groups under: OU=Cloud Service Objects, DC=<domain-name>

Can add and remove AD objects from the pre-created Cloud managed groups

Does not apply to the built-in Active Directory groups that are created during AD installation

Policies Container CN=Policies, CN=System,DC=<domain-name>

Can create, update, and delete Group Policy Objects

Cannot edit or delete Default Domain Controller or Default Domain Policy GPOs

Partition Container (UPN suffixes) CN=Partitions,CN=Configuration, DC=<domain-name> Can change UPN suffixes
Terminal Services License Server CN=Terminal Server License Servers,CN=Builtin, DC=<domain-name> Can add Windows Servers with Terminal License Server role to the Terminal Service License Server built-in group