diff --git a/apps/accounts/models/account.py b/apps/accounts/models/account.py
index 9bd8449f8..be3b8ccad 100644
--- a/apps/accounts/models/account.py
+++ b/apps/accounts/models/account.py
@@ -146,27 +146,21 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
         return False
 
     @lazyproperty
-    def ds_id(self):
-        if self.is_ds_account():
-            return self.asset.ds.id
-        return None
+    def ds(self):
+        if not self.is_ds_account():
+            return None
+        if not hasattr(self.asset, 'ds'):
+            return None
+        return self.asset.ds
 
     @lazyproperty
     def ds_domain(self):
-        if self.ds_id:
-            return self.asset.ds.domain_name
-        return None
+        """这个不能去掉，perm_account 会动态设置这个值，以更改 full_username"""
+        if self.ds and self.ds.domain_name:
+            return self.ds.domain_name
+        return ''
 
-    @lazyproperty
-    def ds(self):
-        if not self.is_ds_account():
-            return {}
-        return {
-            'id': self.ds_id,
-            'domain': self.ds_domain,
-        }
-
-    @lazyproperty
+    @property
     def full_username(self):
         if self.ds_domain:
             return '{}@{}'.format(self.username, self.ds_domain)
diff --git a/apps/accounts/serializers/account/account.py b/apps/accounts/serializers/account/account.py
index 988739c72..1d3bd788b 100644
--- a/apps/accounts/serializers/account/account.py
+++ b/apps/accounts/serializers/account/account.py
@@ -233,6 +233,7 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
         required=False, queryset=Account.objects, allow_null=True, allow_empty=True,
         label=_('Su from'), attrs=('id', 'name', 'username')
     )
+    ds = ObjectRelatedField(read_only=True, label=_('Directory service'), attrs=('id', 'name', 'domain_name'))
 
     class Meta(BaseAccountSerializer.Meta):
         model = Account
@@ -241,7 +242,7 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
             'date_change_secret', 'change_secret_status'
         ]
         fields = BaseAccountSerializer.Meta.fields + [
-            'su_from', 'asset', 'version', 'ds_domain', 'ds_id',
+            'su_from', 'asset', 'version', 'ds',
             'source', 'source_id', 'secret_reset',
         ] + AccountCreateUpdateSerializerMixin.Meta.fields + automation_fields
         read_only_fields = BaseAccountSerializer.Meta.read_only_fields + automation_fields
diff --git a/apps/authentication/models/connection_token.py b/apps/authentication/models/connection_token.py
index acdaa9890..7f450b8ca 100644
--- a/apps/authentication/models/connection_token.py
+++ b/apps/authentication/models/connection_token.py
@@ -255,6 +255,16 @@ class ConnectionToken(JMSOrgBaseModel):
             cache.delete(lock_key)
             return True
 
+    def set_ad_domain_if_need(self, account):
+        rdp = self.asset.platform.protocols.filter(name='rdp').first()
+        if not rdp or not rdp.setting:
+            return
+
+        ad_domain = rdp.setting.get('ad_domain')
+        if ad_domain:
+            # serializer account username 用的是 full_username 所以这么设置
+            account.ds_domain = ad_domain
+
     @lazyproperty
     def account_object(self):
         if not self.asset:
@@ -269,6 +279,9 @@ class ConnectionToken(JMSOrgBaseModel):
             account = self.asset.all_valid_accounts.filter(id=self.account).first()
             if not account.secret and self.input_secret:
                 account.secret = self.input_secret
+
+            if self.protocol == 'rdp':
+                self.set_ad_domain_if_need(account)
         return account
 
     @lazyproperty