Insufficient permissions when running Set-AdComputer command through AWS EC2(windows) userdata script

Question

I am attempting to update EC2 instances' AD OU (Computer Object) attributes through ec2 userdata script. I am seeing "Message: The errors from user data script: Set-AdComputer : Insufficient access rights to perform the operation" which isn't making sense to me as userdata runs with root privileges/admin level perms, right? Any insights? Below is the expert from Ec2UserDataExecution.log

2023/04/26 05:44:11Z: <powershell> tag was provided.. running powershell content
2023/04/26 05:44:14Z: Message: The errors from user data script: Set-AdComputer : Insufficient access rights to perform the operation
At 
C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\Launch\InvokeUserData\UserScript.ps1:27 
char:2
+     Set-AdComputer -Identity $Hostname -Description "XXXXX ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (XXXXXX:ADComputer) [Set-ADComputer], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.SetADComputer
 

2023/04/26 05:44:14Z: Message: The output from user data script: 
Success Restart Needed Exit Code      Feature Result                               
------- -------------- ---------      --------------                               
True    No             NoChangeNeeded {}   

update EC2 instances' AD OU (Computer Object) attributes through ec2 userdata script - windows

Answer 1

For user data commands that require domain administrator privileges, I store the credentials for a relevant domain account in an AWS secret, and pull them down in the script:

# Pull required username and password from AWS Secrets
$UsernameAndPasswordForPrivilegedAccount = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId arn:aws:secretsmanager:us-east-1:<AWS Account Number>:secret:<AWS Secret Name>).SecretString
$CredentialsForPrivilegedAccount = (New-Object PSCredential($UsernameAndPasswordForPrivilegedAccount.UserName, (ConvertTo-SecureString $UsernameAndPasswordForPrivilegedAccount.Password -AsPlainText -Force)))

# Use credential with the command
Set-AdComputer -Credential $CredentialsForPrivilegedAccount -Identity $Hostname -Description "XXXXX ...

In AWS Secrets, save the username and password by (a) choosing "Store a new secret," (b) choosing "Other type of secret," and (c) creating two key/value pairs, with the words 'username' and 'password' as the keys:

Key/value     Secret value
 username      <MYDOMAIN\myprivilegedusername>
 password      <mypassword>

For the commands that pull the credentials to work, the machine will need to be using an IAM role that has access to the secret, have AWS Tools for PowerShell installed, and have AWS's DNS server registered as one of its DNS servers (which will be automatic if your VPC uses a DHCP Options Set with Amazon Provided DNS. It can also be configured independently.)