有没有办法根据join到域中的用户自动将计算机放置在特定的OU中? 例如,我有5个OU,站点pipe理员可以将PC添加到域,但不能pipe理他们OU之外的AD的任何方面,并且我们希望阻止将计算机移动到正确的OU。
我意识到在AD中改变新计算机的全球位置的能力,以及在正确的OU中预先添加新计算机的能力,但是如果存在的话寻找更具体的东西。
让他们使用netdom将机器join到他们pipe理的特定OU中:
netdom help join The syntax of this command is: NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user] [/PasswordD:[password | *]] [/UserO:user] [/PasswordO:[password | *]] [/PasswordM:[password | *]] [/ReadOnly] [/REBoot[:Time in seconds]] [/SecurePasswordPrompt] NETDOM JOIN Joins a workstation or member server to the domain. machine is the name of the workstation or member server to be joined /Domain Specifies the domain which the machine should join. You can specify a particular domain controller by entering /Domain:domain\dc. When /ReadOnly option is used, you must specify a domain controller. /UserD User account used to make the connection with the domain specified by the /Domain argument /PasswordD Password of the user account specified by /UserD. A * means to prompt for the password /UserO User account used to make the connection with the machine to be joined /PasswordO Password of the user account specified by /UserO. A * means to prompt for the password /OU Organizational unit under which to create the machine account. This must be a fully qualified RFC 1779 DN for the OU. If not specified, the account will be created under the default organization unit for machine objects for that domain. /PasswordM Password of the pre-created computer account, whose name is specified by the machine parameter. A * means to prompt for the password. This option must be used with /ReadOnly option. /ReadOnly Perform a domain join using a pre-created computer account and without performing any writes to a domain controller. This option therefore, does not require a writable domain controller. You must specify the domain controller (using /Domain option) and computer account password (using /PasswordM option) when the option is used. This option cannot be used with /OU option. /REBoot Specifies that the machine should be shutdown and automatically rebooted after the Join has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds /SecurePasswordPrompt Use secure credentials popup to specify credentials. This option should be used when smartcard credentials need to be specified. This option is only in effect when the password value is supplied as * Windows Professional machines with the ForceGuest setting enabled (which is the default for machines not joined to a domain during setup) cannot be remotely administered. Thus the join operation must be run directly on the machine when the ForceGuest setting is enabled. When joining a machine running Windows NT version 4 or before to the domain the operation is not transacted. Thus, a failure during the operation could leave the machine in an undetermined state with respect to the domain it is joined to. The act of joining a machine to the domain will create an account for the machine on the domain if it does not already exist. NETDOM HELP command | MORE displays Help one screen at a time. 不知道什么是更具体的,然后在正确的OU预升级计算机对象。 如果您已经将此权限授予pipe理员,那将是最快/最简单的方法。 您可以像Jim指出的那样使用netdom命令,但是每次都需要input正确的LDAPpath,这很容易出错。
编辑:
如果您拥有Server 2008 R2 DC并且正在添加服务器2008 R2服务器或Windows 7客户端,则另一种方法是使用脱机域join。
pipe理员必须在Windows 7或Server 2008 R2上使用以下configuration计算机对象:
djoin /provision /Domain <domain> /Machine <PCName> /MachineOU <ldap Path> /Savefile <PCName>.txt
然后,他们可以将该文件复制到要添加并运行的计算机上:
djoin /RequestODJ /loadfile <PCName>.txt /Windowspath C:\Windows
当它没有networking连接时,这可以用来将PC添加到域。
您可以使用活动目录中的委托控制function来对每个特定的OU应用权限,以便让他们将其计算机放入其中。 一,注意,他们不能在域中的其他地方添加计算机对象的权限,否则,它会select它find的第一个OU(我认为!?!)。
例如,假设你有一个叫做Other_Computers的OU。 1.右键单击它,select委托控制,单击下一步,然后select要委派控制的用户。
有一次,您已经这样做了,假设用户没有权限在域中的其他地方添加计算机对象,那么他们添加的任何计算机都将自动添加到该OU。