AWS Logo
Menu

Granting local administrator permissions without Active Directory on Windows-based Amazon WorkSpaces Pools and Amazon AppStream 2.0

This article will demonstrate how you can grant users local administrator privileges on Windows based WorkSpaces Pools and AppStream 2.0 setups without using Active Directory

Dan Garibay
Amazon Employee
Published Dec 21, 2024

Overview

When logging into a Windows-based WorkSpaces Pool or AppStream 2.0 Fleet that is not using Active Directory, end users will be running as a local account named PhotonUser. This account will not have local administrator privileges. There is not a built-in method to add administrator privileges to end users of WorkSpaces Pools, or AppStream 2.0 Fleets.
This article will describe how you can customize an image to grant the PhotonUser administrative rights.
This article does not cover privilege management on Linux-based instances, which will be a separate article.

Important Security Consideration

CAUTION: This method will apply administrator rights to any user, at the image level. It should therefore be used with caution. When capturing an image in this configuration, be sure to note in the Description/tags that it includes local admin modification. You would not want to accidentally use this image with users you do not intend to have local administrator privileges.
You can grant administrator rights in a more granular level by using Active Directory, combined with Group Policy control of the local Administrators group. That method also means the image itself does not inherently confer admin rights to any user who logs in.
For more information, see Microsoft's Security Identifiers documentation page.

Getting Started

To begin, you will need to launch an image builder instance.
  • AppStream 2.0: follow the steps at Launch an Image Builder.
  • WorkSpaces Pools: WorkSpaces Pools do not have a dedicated Image Builder component. to build a custom WorkSpaces Pools image, launch a WorkSpaces Personal instance using the DCV protocol, and connect to it. When you create an image & bundle from this WorkSpace, it will be eligible for use on Pools.
    • The PCoIP protocol cannot be used with Pools, so be sure to use a DCV source image.

Modifying the Permissions

After logging into your AppStream 2.0 image builder or WorkSpaces Personal instance, perform the following steps:
  1. Open the Run menu by right-selecting on the Windows logo in the bottom left, and selecting Run .
  2. Type lusrmgr.msc and press Enter.
  3. In the resulting Local Users and Groups console, select Groups in the left column, right select Administrators in the middle section, and then select Properties.
    1. In the resulting Administrators Properties window, you will see Administrator and ImageBuilderAdmin as the only members of the group by default.
  4. Select Add... at the bottom of the Administrators Properties window.
    1. In the resulting Select Users window, the bottom field will say Enter the object names to select. Type interactive into this box, and then select Check Names to the right. You will see it become all caps INTERACTIVE and be underlined. Select OK at the bottom right.
  5. You will now see NT AUTHORITY\INTERACTIVE (S-1-5-4) in the Members list of the Administrators Properties window. Select OK at the bottom to save the changes and close the Administrators Properties window.

Conclusion

You have now finished making the required changes for local users to have administrator permissions on their non-domain-joined AppStream 2.0 or WorkSpaces Pools instances. From this point, proceed as normal with image creation and deployment.
 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments