Managing Administrator Privileges on Domain Joined Amazon WorkSpaces and Amazon AppStream 2.0

Overview

Customers use Amazon WorkSpaces and Amazon AppStream 2.0 to get a fully managed remote desktop solution in the AWS cloud. Customers sometimes ask how they can manage local administrator privileges on their Windows based Amazon WorkSpaces and domain joined AppStream 2.0 instances.

By default, WorkSpaces offer a way to determine whether the assigned user is granted administrator privileges. Customers may want to grant other users besides the assigned user administrative privileges. The most standard use case for this is granting your help desk or IT department local administrator privileges on the fleet. This ensures you can perform administrative tasks at scale, or help end users individually.

Active Directory Group Policy provides a path for easily managing this on domain-joined computers. In this article, you will learn how to use Group Policy to manage the local Administrators group of your WorkSpaces and domain joined AppStream 2.0 instances.

Prerequisites

For this walkthrough, you should have the following prerequisites:

An AWS account
Pre-existing Windows WorkSpaces/AppStream 2.0 deployment
Access to your Active Directory, with sufficient privileges to create new Group Policy
A Windows computer joined to the domain you need to manage

Prerequisite: Install the Active Directory Administration Tools

This is a prerequisite section, to assist if you do not already have the Active Directory administration tools installed on your Windows domain management computer (such as your WorkSpace). If you already have these installed, you can skip to the next section.

These steps need to be performed on a Windows machine which is connected to the same Active Directory you will be administering. A Windows WorkSpace joined to the same domain is an option.

Begin by logging into the Windows WorkSpace or EC2 instance you will use for Active Directory administration.
Open an Administrative PowerShell console by right-selecting on the Start logo and choosing “Windows PowerShell (Admin)” or “Terminal (Admin)”.
Run winver and note whether your system is based on Windows Server or Windows 10/11.
Run one of the following two commands, based on the result:

If your WorkSpace is based on Windows Server:

Install-WindowsFeature GPMC,RSAT-AD-Tools,RSAT-AD-PowerShell

If your WorkSpace is based on Windows 10 or 11:

Add-WindowsCapability -Name Rsat.GroupPolicy.Management.Tools -Online

Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools -Online

This will install the Active Directory MMC tools, Active Directory PowerShell commandlets, and the Group Policy console.

Prerequisite: Identify the WorkSpaces Organizational Unit

To scope this Group Policy to be specific to your WorkSpaces, you will need to identify the Organizational Unit your WorkSpaces’ Active Directory Computer Objects are placed into.

Open the WorkSpaces console. Validate your Region in the top right of the console, and change it if appropriate.
In the left menu, select Directories.
Select your Directory.
In the “Summary” section at the top, you will see “Organizational unit.” Note this for future reference (or keep this console open in a separate tab).

Prerequisite: Identify the AppStream Organizational Unit

To scope this Group Policy to be specific to your AppStream instances, you will need to identify the Organizational Unit your AppStream Active Directory Computer Objects are placed into.

Open the AppStream console. Validate your Region in the top right of the console, and change it if appropriate.
In the left menu, select Directory Configs.
Select your Directory.

In the “Directory Config Details” section at the top, you will see “Organizational Units (OUs).” Note this for future reference (or keep this console open in a separate tab).

Choose an Active Directory Security Group

You will need to designate a specific Active Directory Security Group to receive these privileges. You can open dsa.msc on your domain joined computer to view Active Directory users and groups.

An ideal group is one that is scoped to contain your IT users (such as your help desk group, or systems administration group). Use the Active Directory MMC to identify an appropriate group. One way to do this is to find your Active Directory user, right-select it, view the Properties tab, and look at the Member Of tab.

Creating an Active Directory Security Group

If you do not have a representative “IT Users” group, you can follow these steps to create one.

Open the Active Directory Users and Computers MMC by launching dsa.msc
Expand your domain FQDN and look for your Users Organizational Unit.
Right select the Users OU, and choose New > Group.
Choose a Group name, for example EUC-IT-Admins. Leave the scope and group type at their default settings. Select OK to save the group.
Right select the newly created group and choose Properties.
Choose the Members tab. Select Add to add users. Add your IT user accounts to this group. Be sure to use the Check Names button to validate the accounts are valid. After entering your IT users, select OK to save the group, and then OK to close the group properties.

If you are using AWS Managed Active Directory, see the existing documentation for creating a group and adding a user to a group. It is nearly the same process, but you must use the delegated OU. You can also reference Microsoft documentation for more information on Active Directory Security Groups.

Create your Local Administrator group policy

You have chosen or created a representative IT Active Directory security group. Now you can create a Group Policy to automatically add this group to the Administrators local group on your WorkSpaces.

Open the Group Policy Management Console – gpmc.msc from the Run menu or the PowerShell prompt.
In the left console, expand Forest, Domains, and your domain Fully Qualified Domain Name. Locate the Organization Unit you identified in the previous section.
Right select the OU and choose “Create a GPO in this domain, and Link it here…”
Provide a name and description which identify the GPO for the future.
If you need to associate your new Group Policy Object to multiple Organizational Units:
1. Right select the additional OU.
2. Choose Link an Existing GPO.
3. Choose the GPO you just created, and then OK.
4. Repeat for every additional OU you need to associate.
Right select your new GPO in the list, and choose “Edit”.
Expand Computer Configuration > Preferences > Control Panel Settings, then right-select Local users and Groups, and choose New > Local Group.
Select the Group name: drop down menu and choose Administrators (built-in). Leave the “Action” at the top at the default setting, which is Update.
Under the Members: section, select the Add… button.
In the resulting Local Group Member pop-up box, leave the Action at the default, Add to this group. Then, choose the … button to the right of the Name section.
In the resulting Select User, Computer, or Group popup, enter the group name you chose or created in the prior steps, and choose Check Names to validate the selection. Choose OK to close this window.
Choose OK to close the Local Group Member window.
Choose OK to close the Administrators (built-in) window. If you would like to add any other groups to Local Administrator on your WorkSpaces, you can add additional groups in the same window first.

Testing

To test, log into a WorkSpace or AppStream instance in one of the OUs linked to your new Group Policy. Group Policy automatically refreshes on certain intervals, such as on restart, login, and every 90 minutes with a randomized offset of up to 30 minutes.

Open an Admin PowerShell or Terminal window by right selecting the Start Menu in the bottom left of your screen.
1. If you launch an Admin Terminal session, ensure the resulting tab is PowerShell. This is the default.
Enter the command net localgroup administrators and view the results.

The expected output should show the Active Directory group you selected in the Group Policy. If you do not see the expected group, run gpupdate /force and then re-run the first command.

If the expected groups are still not present after updating Group Policy, run gpresult /h $env:userprofile\desktop\gp.html from your admin PowerShell session. This will put a gp.html file on the desktop. You can review this report to determine which Group Policies are and are not being applied, and adjust your settings accordingly.

The relevant section is: Computer Details > Settings > Preferences > Control Panel Settings > Local Users and Groups > Group (Name: Administrators (built-in)).

If the Computer Details section is empty, it means the gpresult command was run from a non-Admin PowerShell or Command Prompt session. Delete the file and re-run the command from an Admin session.

Rollback

To remove this setup, you must alter the Group Policy, rather than simply deleting it. Deleting the Group Policy will not roll back the changes to any computer which already applied the policy. This is because security policies persist even if no longer defined in the policy that originally applied it.

To roll back the change and remove the group from local admin privileges, follow these steps.

Open the Group Policy Management Console – gpmc.msc from the Run menu or the PowerShell prompt.
In the left console, expand Forest, Domains, and your domain Fully Qualified Domain Name. Locate the Organization Unit you identified in the previous section.
Right select your local admin GPO in the list, and choose “Edit”.
Expand Computer Configuration > Preferences > Control Panel Settings > Local users and Groups.
In the right section, right-select the Administrators (built-in) name and select Properties.
Under the Members: section, select the group you added previously, and then Change… beneath it.
In the resulting Local Group Member pop-up box, change the Action to Remove from this group, and then select OK.
Choose OK to close the Local Group Member window.
Choose OK to close the Administrators (built-in) window.

This will remove the group from any computers in the linked Organizational Units, rolling back the change made by this Group Policy.

It is also worth noting that you can follow these steps to remove any additional groups that you might have added previously, but now would like to remove.

You can delete an AD Group you created in the AD Users and Groups MMC, dsa.msc at the Run menu. If you want to remove users from any AD Group, you can do so here as well.

Conclusion

In this article, you have configured a Group Policy. This policy adds a group (or groups) to the local administrators group on your WorkSpaces or domain joined AppStream instances.

This allows your IT staff to manage WorkSpaces at scale, or assist end users directly when required.

This can be combined with other management tools to help manage a broad collection of WorkSpaces. For example, see this Community article on configuring WinRM with WorkSpaces. Using that article in combination with this one will allow you to use solutions such as Ansible® to manage your WorkSpaces. For more, see our WorkSpaces with Ansible GitHub page.

Thank you very much for your time reviewing this article. We look forward to your feedback.

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Site Terms, Privacy, and more.