Merge pull request #106414 from iainfoulds/azureadds-domainjoinprivileges

[AzureADDS] Update guidance on domain-join privileges

Author: PRMerger17

articles/active-directory-domain-services/faqs.md

@@ -87,7 +87,7 @@ No. After you create an Azure AD Domain Services managed domain, you can't then
 No. You don't have permissions to connect to domain controllers for the managed domain using Remote Desktop. Members of the *AAD DC Administrators* group can administer the managed domain using AD administration tools such as the Active Directory Administration Center (ADAC) or AD PowerShell. These tools are installed using the *Remote Server Administration Tools* feature on a Windows server joined to the managed domain. For more information, see [Create a management VM to configure and administer an Azure AD Domain Services managed domain](tutorial-create-management-vm.md).
 
 ### I've enabled Azure AD Domain Services. What user account do I use to domain join machines to this domain?
-Members of the administrative group *AAD DC Administrators* can domain-join machines. Additionally, members of this group are granted remote desktop access to machines that have been joined to the domain.
+Any user account that's part of the Azure AD DS managed domain can join a VM. Members of the *AAD DC Administrators* group are granted remote desktop access to machines that have been joined to the managed domain.
 
 ### Do I have domain administrator privileges for the managed domain provided by Azure AD Domain Services?
 No. You aren't granted administrative privileges on the managed domain. *Domain Administrator* and *Enterprise Administrator* privileges aren't available for you to use within the domain. Members of the domain administrator or enterprise administrator groups in your on-premises Active Directory are also not granted domain / enterprise administrator privileges on the managed domain.

articles/active-directory-domain-services/join-centos-linux-vm.md

@@ -30,7 +30,7 @@ To complete this tutorial, you need the following resources and privileges:
     * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
 * An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
     * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
+* A user account that's part of the Azure AD DS managed domain.
 
 ## Create and connect to a CentOS Linux VM
 
@@ -94,15 +94,15 @@ Now that the required packages are installed on the VM, join the VM to the Azure
     * Check that the VM is deployed to the same, or a peered, virtual network in which the Azure AD DS managed domain is available.
     * Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the Azure AD DS managed domain.
 
-1. Now initialize Kerberos using the `kinit` command. Specify a user that belongs to the *AAD DC Administrators* group. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md).
+1. Now initialize Kerberos using the `kinit` command. Specify a user that's a part of the Azure AD DS managed domain. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md).
 
-    Again, the Azure AD DS managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `[email protected]` is used to initialize Kerberos. Enter your own user account that's a member of the *AAD DC Administrators* group:
+    Again, the Azure AD DS managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `[email protected]` is used to initialize Kerberos. Enter your own user account that's a part of the Azure AD DS managed domain:
 
     ```console
     kinit [email protected]
     ```
 
-1. Finally, join the machine to the Azure AD DS managed domain using the `realm join` command. Use the same user account that's a member of the *AAD DC Administrators* group that you specified in the previous `kinit` command, such as `[email protected]`:
+1. Finally, join the machine to the Azure AD DS managed domain using the `realm join` command. Use the same user account that's a part of the Azure AD DS managed domain that you specified in the previous `kinit` command, such as `[email protected]`:
 
     ```console
     sudo realm join --verbose AADDSCONTOSO.COM -U '[email protected]'

articles/active-directory-domain-services/join-coreos-linux-vm.md

@@ -30,7 +30,7 @@ To complete this tutorial, you need the following resources and privileges:
     * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
 * An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
     * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
+* A user account that's a part of the Azure AD DS managed domain.
 
 ## Create and connect to a CoreOS Linux VM
 
@@ -130,9 +130,9 @@ With the SSSD configuration file updated, now join the virtual machine to the ma
     * Check that the VM is deployed to the same, or a peered, virtual network in which the Azure AD DS managed domain is available.
     * Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the Azure AD DS managed domain.
 
-1. Now join the VM to the Azure AD DS managed domain using the `adcli join` command. Specify a user that belongs to the *AAD DC Administrators* group. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md).
+1. Now join the VM to the Azure AD DS managed domain using the `adcli join` command. Specify a user that's a part of the Azure AD DS managed domain. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md).
 
-    Again, the Azure AD DS managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `[email protected]` is used to initialize Kerberos. Enter your own user account that's a member of the *AAD DC Administrators* group.
+    Again, the Azure AD DS managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `[email protected]` is used to initialize Kerberos. Enter your own user account that's a part of the Azure AD DS managed domain.
 
     ```console
     sudo adcli join -D AADDSCONTOSO.COM -U [email protected] -K /etc/krb5.keytab -H coreos.aaddscontoso.com -N coreos

articles/active-directory-domain-services/join-rhel-linux-vm.md

@@ -30,7 +30,7 @@ To complete this tutorial, you need the following resources and privileges:
     * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
 * An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
     * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
+* A user account that's a part of the Azure AD DS managed domain.
 
 ## Create and connect to a RHEL Linux VM
 
@@ -104,15 +104,15 @@ Now that the required packages are installed on the VM, join the VM to the Azure
     * Check that the VM is deployed to the same, or a peered, virtual network in which the Azure AD DS managed domain is available.
     * Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the Azure AD DS managed domain.
 
-1. Now initialize Kerberos using the `kinit` command. Specify a user that belongs to the *AAD DC Administrators* group. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md).
+1. Now initialize Kerberos using the `kinit` command. Specify a user that's a part of the Azure AD DS managed domain. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md).
 
-    Again, the Azure AD DS managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `[email protected]` is used to initialize Kerberos. Enter your own user account that's a member of the *AAD DC Administrators* group:
+    Again, the Azure AD DS managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `[email protected]` is used to initialize Kerberos. Enter your own user account that's a part of the Azure AD DS managed domain:
 
     ```console
     kinit [email protected]
     ```
 
-1. Finally, join the machine to the Azure AD DS managed domain using the `realm join` command. Use the same user account that's a member of the *AAD DC Administrators* group that you specified in the previous `kinit` command, such as `[email protected]`:
+1. Finally, join the machine to the Azure AD DS managed domain using the `realm join` command. Use the same user account that's a part of the Azure AD DS managed domain that you specified in the previous `kinit` command, such as `[email protected]`:
 
     ```console
     sudo realm join --verbose AADDSCONTOSO.COM -U '[email protected]'
@@ -138,7 +138,7 @@ Successfully enrolled machine in realm
     * Check that the VM is deployed to the same, or a peered, virtual network in which the Azure AD DS managed domain is available.
     * Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the Azure AD DS managed domain.
 
-1. First, join the domain using the `adcli join` command, this command will also creates the keytab to authenticate the machine. Use a user account that's a member of the *AAD DC Administrators* group.
+1. First, join the domain using the `adcli join` command, this command will also creates the keytab to authenticate the machine. Use a user account that's a part of the Azure AD DS managed domain.
 
     ```console
     sudo adcli join aaddscontoso.com -U contosoadmin

articles/active-directory-domain-services/join-ubuntu-linux-vm.md

@@ -30,7 +30,7 @@ To complete this tutorial, you need the following resources and privileges:
     * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
 * An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
     * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
+* A user account that's a part of the Azure AD DS managed domain.
 
 ## Create and connect to an Ubuntu Linux VM
 
@@ -129,15 +129,15 @@ Now that the required packages are installed on the VM and NTP is configured, jo
     * Check that the VM is deployed to the same, or a peered, virtual network in which the Azure AD DS managed domain is available.
     * Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the Azure AD DS managed domain.
 
-1. Now initialize Kerberos using the `kinit` command. Specify a user that belongs to the *AAD DC Administrators* group. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md).
+1. Now initialize Kerberos using the `kinit` command. Specify a user that's a part of the Azure AD DS managed domain. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md).
 
-    Again, the Azure AD DS managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `[email protected]` is used to initialize Kerberos. Enter your own user account that's a member of the *AAD DC Administrators* group:
+    Again, the Azure AD DS managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `[email protected]` is used to initialize Kerberos. Enter your own user account that's a part of the Azure AD DS managed domain:
 
     ```console
     kinit [email protected]
     ```
 
-1. Finally, join the machine to the Azure AD DS managed domain using the `realm join` command. Use the same user account that's a member of the *AAD DC Administrators* group that you specified in the previous `kinit` command, such as `[email protected]`:
+1. Finally, join the machine to the Azure AD DS managed domain using the `realm join` command. Use the same user account that's a part of the Azure AD DS managed domain that you specified in the previous `kinit` command, such as `[email protected]`:
 
     ```console
     sudo realm join --verbose AADDSCONTOSO.COM -U '[email protected]' --install=/

articles/active-directory-domain-services/join-windows-vm-template.md

@@ -30,7 +30,7 @@ To complete this tutorial, you need the following resources and privileges:
     * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
 * An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
     * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
+* A user account that's a part of the Azure AD DS managed domain.
 
 ## Azure Resource Manager template overview
 
@@ -90,7 +90,7 @@ To create a Windows Server VM then join it to an Azure AD DS managed domain, com
     | DNS Label Prefix          | Enter a DNS name to use for the VM, such as *myvm*. |
     | VM size                   | Specify a VM size, such as *Standard_DS2_v2*. |
     | Domain To Join            | The Azure AD DS managed domain DNS name, such as *aaddscontoso.com*. |
-    | Domain Username           | The user account in the Azure AD DS managed domain that should be used to join the VM to the managed domain, such as `[email protected]`. This account must be a member of the *Azure AD DC administrators* group. |
+    | Domain Username           | The user account in the Azure AD DS managed domain that should be used to join the VM to the managed domain, such as `[email protected]`. This account must be a part of the Azure AD DS managed domain. |
     | Domain Password           | The password for the user account specified in the previous setting. |
     | Optional OU Path          | The custom OU in which to add the VM. If you don't specify a value for this parameter, the VM is added to the default *AAD DC Computers* OU. |
     | VM Admin Username         | Specify a local administrator account to create on the VM. |
@@ -100,7 +100,7 @@ To create a Windows Server VM then join it to an Azure AD DS managed domain, com
 
 > [!WARNING]
 > **Handle passwords with caution.**
-> The template parameter file requests the password for a user account that's a member of the *Azure AD DC administrators* group. Don't manually enter values into this file and leave it accessible on file shares or other shared locations.
+> The template parameter file requests the password for a user account that's a part of the Azure AD DS managed domain. Don't manually enter values into this file and leave it accessible on file shares or other shared locations.
 
 It takes a few minutes for the deployment to complete successfully. When finished, the Windows VM is created and joined to the Azure AD DS managed domain. The VM can be managed or signed into using domain accounts.
 
@@ -119,15 +119,15 @@ To join an existing Windows Server VM to an Azure AD DS managed domain, complete
     | Resource group            | Choose the resource group with your existing VM. |
     | Location                  | Select the location of your existing VM. |
     | VM list                   | Enter the comma-separated list of the existing VM(s) to join to the Azure AD DS managed domain, such as *myVM1,myVM2*. |
-    | Domain Join User Name     | The user account in the Azure AD DS managed domain that should be used to join the VM to the managed domain, such as `[email protected]`. This account must be a member of the *Azure AD DC administrators* group. |
+    | Domain Join User Name     | The user account in the Azure AD DS managed domain that should be used to join the VM to the managed domain, such as `[email protected]`. This account must be a part of the Azure AD DS managed domain. |
     | Domain Join User Password | The password for the user account specified in the previous setting. |
     | Optional OU Path          | The custom OU in which to add the VM. If you don't specify a value for this parameter, the VM is added to the default *AAD DC Computers* OU. |
 
 1. Review the terms and conditions, then check the box for **I agree to the terms and conditions stated above**. When ready, select **Purchase** to join the VM to the Azure AD DS managed domain.
 
 > [!WARNING]
 > **Handle passwords with caution.**
-> The template parameter file requests the password for a user account that's a member of the *Azure AD DC administrators* group. Don't manually enter values into this file and leave it accessible on file shares or other shared locations.
+> The template parameter file requests the password for a user account that's a part of the Azure AD DS managed domain. Don't manually enter values into this file and leave it accessible on file shares or other shared locations.
 
 It takes a few moments for the deployment to complete successfully. When finished, the specified Windows VMs are joined to the Azure AD DS managed domain and can be managed or signed into using domain accounts.