Create a Domain Admin ("Level 3") Account
Contributors
Download PDF of this page
Overview
Occasionally VDS administrators will need domain-level credentials to manage the environment. In VDS these are called "Level 3" or ".tech" account.
These instructions show how these accounts can be created with the appropriate permissions.
Windows Server Domain Controller
When running an internally hosted Domain Controller (or a local DC linked to Azure via a VPN/Express Route) managing .tech accounts can be done directly in Active Directory Manager.
-
Connect to the Domain Controller (CWMGR1, DC01 or the existing VM) with a domain admin (.tech) account.
-
Create a new user (if needed).
-
Add the user to the "Level3 Technicians" security group
-
If the "Level3 Technicians" security group is missing, please create the group and make it a member of "CW-Infrastructure" security group.
-
Adding “.tech” to the end of the username is a recommended best practice to help delineate admin accounts from end user accounts. |
Azure AD Domain Services
If running in Azure AD Domain Services or managing user in Azure AD, these accounts can be managed (i.e. password change) in the Azure Management Portal as a normal Azure AD user.
New accounts can be created, adding them to these roles should give them the permissions required:
-
AAD DC Administrators
-
ClientDHPAccess
-
Global Admin in the directory.
Adding “.tech” to the end of the username is a recommended best practice to help delineate admin accounts from end user accounts. |