Create a Domain Admin ("Level 3") Account

Contributors tvanroo

Overview

Occasionally VDS administrators will need domain-level credentials to manage the environment. In VDS these are called "Level 3" or ".tech" account.

These instructions show how these accounts can be created with the appropriate permissions.

Windows Server Domain Controller

When running an internally hosted Domain Controller (or a local DC linked to Azure via a VPN/Express Route) managing .tech accounts can be done directly in Active Directory Manager.

  1. Connect to the Domain Controller (CWMGR1, DC01 or the existing VM) with a domain admin (.tech) account.

  2. Create a new user (if needed).

  3. Add the user to the "Level3 Technicians" security group

    Management.System Administration.create domain admin account 9ee17

    1. If the "Level3 Technicians" security group is missing, please create the group and make it a member of "CW-Infrastructure" security group.

      Management.System Administration.create domain admin account 0fc27
Note Adding “.tech” to the end of the username is a recommended best practice to help delineate admin accounts from end user accounts.

Azure AD Domain Services

If running in Azure AD Domain Services or managing user in Azure AD, these accounts can be managed (i.e. password change) in the Azure Management Portal as a normal Azure AD user.

New accounts can be created, adding them to these roles should give them the permissions required:

  1. AAD DC Administrators

  2. ClientDHPAccess

  3. Global Admin in the directory.

Note Adding “.tech” to the end of the username is a recommended best practice to help delineate admin accounts from end user accounts.

l33