设置"下面的用户或组可以加入到域"创建计算机后 [英] set "the following user or group can join to a domain" after creating the computer
问题描述
我所遇到的一个问题,用户可以创建于公元一台电脑,没有人可以将计算机加入到域,除了谁创造了它在公元用户。
I have come across an issue where a user can create a computer in AD, nobody else can join the computer to the domain except for the user who created it in AD.
在创建计算机管理工具有一个标题为一个选项下列用户或组可以加入到域如果设置了特定组,则该组可以加入到域。
When creating the computer in admin tools there is an option titled "the following user or group can join to a domain" if this is set to a certain group then that group can join to the domain.
当我看到在管理工具的计算机的性能我找不到此设置的任何地方。
When I look at the properties of a computer in the admin tools I cannot find this setting anywhere.
在哪里可以找到这个设置?可以这样设置,使用脚本进行更改?
Where do I find this setting? Can this setting be changed using a script?
推荐答案
这是不是一个真正的设置,而是权限。什么是向导的作用,是分配给计算机加入到该计算机对象为指定的用户/组对象所需所需的权限。
This isn't really a setting, but rather permissions. What the wizard does, is assigning the required permissions required to join a computer to that computer-object on the object for the user/group that you specified.
通常是什么人做的是将用户添加到一个广告组具有所需的权限将计算机加入;权限被分配在与继承启用计算机的父容器。
Usually what people do is adding a user to a ADgroup which has the required permissions to join computers; permissions being assigned on a parent container of the computers with inheritance enabled.
如果您需要只有那个人能加入该计算机,则需要其脚本。例如:
If you need to make only THAT person be able to join THAT computer, you would need to script it. Ex:
- 创建一个计算机对象,然后在向导中选择一个特定的用户。
- 使用ADSI或Powershell的等,以出口为计算机对象 在指定的用户创建的ACL
- 创建来分配相同的权限为指定的计算机上的指定用户的脚本。
- Create a computer-object and choose a specific user in the wizard.
- Use ADSI or Powershell etc. to export the ACLs created for the specified user on that computer object
- Create a script that assigns the same permissions for a specified user on a specified computer.
这篇关于设置"下面的用户或组可以加入到域"创建计算机后的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!