English

Create a Domain Admin ("Level 3") Account

Contributors tvanroo Download PDF of this page

Overview

Occasionally VDS administrators will need domain-level credentials to manage the environment. In VDS these are called "Level 3" or ".tech" account.

These instructions show how these accounts can be created with the appropriate permissions.

Traditional domain controller

When running an internally hosted Domain Controller (or a local DC linked to Azure via a VPN/Express Route) managing .tech accounts can be done directly in Active Directory Manager.

  1. Connect to the Domain Controller (CWMGR1, DC01 or the existing VM) with a domain admin (.tech) account.

  2. Open Active Directory Users and Computers, Navigate to Cloud Workspace > Cloud Workspace Tech Users. Right click on the Level3 Technicians entry and select New > User.

    l31

  3. Alternatively you can select an existing .tech account inside of the Level3 Technician directory and copy it to create a new user.

Adding “.tech” to the end of the username is a recommended best practice to help delineate admin accounts from end user accounts.

l32

Azure AD Domain Services

If running in Azure AD Domain Services or managing user in Azure AD, these accounts can be managed (i.e. password change) in the Azure Management Portal as a normal Azure AD user.

New accounts can be created, adding them to these roles should give them the permissions required:

  1. AAD DC Administrators

  2. ClientDHPAccess

  3. Global Admin in the directory.

Adding “.tech” to the end of the username is a recommended best practice to help delineate admin accounts from end user accounts.

l33