Azure: AADS Domain joined server: Administrator cannot add objects in ADUC

Question

For testpurposes we have created an Azure Tenant containing an Azure AD Domain Services domain with a domain joined Windows Server 2019.

When we logon to this server with an account that belongs to the AAD DC Administrators group and go to Active Directory Users and Computers (ADUC) we cannot add objects.
The icons 'Create a new user in the current container', 'Create a new group in the current container' and 'create a new organizational unit in the current container' are disabled.
When we try to change something in the current objects we get the errors 'access is denied' or 'you do not have permission ...'

What are we doing wrong?

Answer 1

Hello @Jan Didden ,

Yes, A default OU for AADDC Users is created that contains all the synchronized user accounts from your Azure AD tenant. You can't add/move users or groups from the AADDC Users OU to custom OUs that you create. Only user accounts or resources created can be created in Custom OU's also users/groups can be moved between custom OUs.

To learn more about how to create an Organizational Unit (OU) in an Azure Active Directory Domain Services managed domain.

Answer 2

You cannot great objects in the default OU that is created in AAD DS, this is reserved for users created in Azure AD. You can create additional OU's and then create resources in these OU's.

Answer 3

Hello @Sam Cogan and @sikumars-msft,

Thanks for your answers, that did the trick.
We clearly missed the article https://learn.microsoft.com/en-us/azure/active-directory-domain-services/create-ou ;-)