有没有办法根据将计算机加入域的用户自动将计算机放置在特定 OU 中?例如,我有 5 个 OU,站点管理员可以将 PC 添加到域,但无法管理其 OU 之外的任何 AD 方面,并且我们希望避免将计算机移动到正确的 OU。
我知道可以在 AD 中更改新计算机的全局位置,也可以将它们预先添加到正确的 OU 中,但如果存在,则需要寻找更具体的内容。
答案1
让他们使用 netdom 将机器加入到他们管理的特定 OU:
netdom help join
The syntax of this command is:
NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]
[/PasswordD:[password | *]]
[/UserO:user] [/PasswordO:[password | *]]
[/PasswordM:[password | *]]
[/ReadOnly]
[/REBoot[:Time in seconds]]
[/SecurePasswordPrompt]
NETDOM JOIN Joins a workstation or member server to the domain.
machine is the name of the workstation or member server to be joined
/Domain Specifies the domain which the machine should join. You
can specify a particular domain controller by entering
/Domain:domain\dc. When /ReadOnly option is used, you
must specify a domain controller.
/UserD User account used to make the connection with the domain
specified by the /Domain argument
/PasswordD Password of the user account specified by /UserD. A * means
to prompt for the password
/UserO User account used to make the connection with the machine to
be joined
/PasswordO Password of the user account specified by /UserO. A * means
to prompt for the password
/OU Organizational unit under which to create the machine account.
This must be a fully qualified RFC 1779 DN for the OU.
If not specified, the account will be created under the default
organization unit for machine objects for that domain.
/PasswordM Password of the pre-created computer account, whose name is
specified by the machine parameter. A * means to prompt
for the password. This option must be used with /ReadOnly
option.
/ReadOnly Perform a domain join using a pre-created computer account and
without performing any writes to a domain controller. This
option therefore, does not require a writable domain controller.
You must specify the domain controller (using /Domain option)
and computer account password (using /PasswordM option)
when the option is used. This option cannot be used with /OU
option.
/REBoot Specifies that the machine should be shutdown and automatically
rebooted after the Join has completed. The number of seconds
before automatic shutdown can also be provided. Default is
30 seconds
/SecurePasswordPrompt
Use secure credentials popup to specify credentials. This
option should be used when smartcard credentials need to be
specified. This option is only in effect when the password
value is supplied as *
Windows Professional machines with the ForceGuest setting enabled (which is the
default for machines not joined to a domain during setup) cannot be remotely
administered. Thus the join operation must be run directly on the machine
when the ForceGuest setting is enabled.
When joining a machine running Windows NT version 4 or before to the domain
the operation is not transacted. Thus, a failure during the operation could
leave the machine in an undetermined state with respect to the domain it is
joined to.
The act of joining a machine to the domain will create an account for the
machine on the domain if it does not already exist.
NETDOM HELP command | MORE displays Help one screen at a time.
答案2
不确定还有什么比在正确的 OU 中预先安排计算机对象更具体。如果您已经将此权限委托给管理员,那将是最快/最简单的方法。您可以使用 Jim 指出的 netdom 命令,但这需要每次都输入正确的 LDAP 路径,这很容易出错。
编辑:
如果您拥有 Server 2008 R2 DC 并且正在添加 Server 2008 R2 服务器或 Windows 7 客户端,另一种选择是使用脱机域加入。
管理员必须在 Windows 7 或 Server 2008 R2 上使用以下命令配置计算机对象:
djoin /provision /Domain <domain> /Machine <PCName> /MachineOU <ldap Path> /Savefile <PCName>.txt
然后他们可以将文件复制到要添加的计算机上并运行:
djoin /RequestODJ /loadfile <PCName>.txt /Windowspath C:\Windows
当 PC 没有网络连接时,可以使用此功能将 PC 添加到域。
答案3
您可以使用 Active Directory 中的委托控制功能,对您希望您的人员将计算机放入的每个特定 OU 施加权限。但需要注意的是,他们不能拥有在域中的其他地方添加计算机对象的权限,否则,它将选择它找到的第一个 OU(我认为是这样的!?!)。
例如,假设您有一个名为 Other_Computers 的 OU。1. 右键单击它,选择委派控制,单击下一步,然后选择要委派控制权的用户。
- 然后事情就变得棘手了,您需要选择“创建自定义任务来委派”,而不是使用股票委派任务。
- 然后选择“仅此文件夹中的对象”并选中“计算机对象”。
- 然后勾选“在此文件夹中创建选定的对象”(如果您希望他们能够删除计算机,也可以选择“删除文件夹中选定的对象”),单击下一步。
- 然后,在下一个屏幕上,您必须选择“创建所有子对象”(如果选择删除文件夹中的对象,也必须删除所有子对象)。
- 然后下一步并完成,就完成了。
完成此操作后,假设用户无权在域中的其他位置添加计算机对象,则他们添加的任何计算机都将自动添加到该 OU。