在 Lync Server 2013 中删除经过身份验证的用户权限Authenticated user permissions are removed in Lync Server 2013

 

上次修改的主题: 2013-02-21Topic Last Modified: 2013-02-21

在锁定的 Active Directory 环境中, (Ace) 的经过身份验证的用户访问控制项将从默认的 Active Directory 容器中删除,包括用户、配置或系统以及存储用户和计算机对象的组织单位 (Ou) 。In a locked-down Active Directory environment, authenticated user access control entries (ACEs) are removed from the default Active Directory containers, including the Users, Configuration or System, and organizational units (OUs) where User and Computer objects are stored. 删除经过身份验证的用户 Ace 可防止对 Active Directory 信息进行读取访问。Removing authenticated user ACEs prevents read access to Active Directory information. 但是,删除 Ace 会为 Lync Server 2013 创建问题,因为它依赖于这些容器的读取权限以允许用户运行域准备。However, removing the ACEs creates issues for Lync Server 2013 because it depends on read permissions to these containers to allow users to run domain preparation.

在这种情况下,域管理员组中的成员身份(若要运行域准备、服务器激活和池创建)不再授予对存储在默认容器中的 Active Directory 信息的读取权限。In this situation, membership in the Domain Admins group, which is required to run domain preparation, server activation, and pool creation, no longer grants read access to Active Directory information stored in the default containers. 您必须手动授予对林根域中各个容器的读取访问权限,以检查先决条件林准备过程是否已完成。You must manually grant read-access permissions on various containers in the forest root domain to check that the prerequisite forest preparation procedure is complete.

若要使用户能够在任何非林根域上运行域准备、服务器激活或池创建,您可以选择以下选项:To enable a user to run domain preparation, server activation, or pool creation on any non-forest root domain, you have the following options:

  • 使用作为 Enterprise Admins 组成员的帐户来运行域准备。Use an account that is a member of the Enterprise Admins group to run domain preparation.

  • 使用属于 Domain Admins 组成员的帐户,并为此帐户授予对林根域中以下每个容器的读取访问权限:Use an account that is a member of the Domain Admins group and grant this account read-access permissions on each of the following containers in the forest root domain:

    • Domain

    • 配置或系统Configuration or System

如果不想使用作为 Enterprise Admins 组成员的帐户来运行域准备或其他安装任务,请明确授予要在林根的相关容器上使用 "读取" 访问权限的帐户。If you do not want to use an account that is a member of the Enterprise Admins group to run domain preparation or other Setup tasks, explicitly grant the account you want to use read access on the relevant containers in the forest root.

向用户授予对林根域中容器的读取访问权限To give users read-access permissions on containers in the forest root domain

  1. 使用作为林根域的 Domain Admins 组成员的帐户登录加入到林根域的计算机。Log on to the computer joined to the forest root domain with an account that is a member of the Domain Admins group for the forest root domain.

  2. 为林根域运行 adsiedit。Run adsiedit.msc for the forest root domain.

    如果从域、配置或系统容器中删除了经过身份验证的用户 Ace,则必须向容器授予只读权限,如以下步骤所述。If authenticated user ACEs were removed from the Domain, Configuration, or System container, you must grant read-only permissions to the container, as described in the following steps.

  3. 右键单击容器,然后单击 " 属性"。Right-click the container, and then click Properties.

  4. 单击“安全”选项卡。****Click the Security tab.

  5. 单击“高级”。Click Advanced.

  6. 在“权限”选项卡上,单击“添加”。On the Permissions tab, click Add.

  7. 使用以下格式键入接收权限的用户或组的名称: domain\account name ,然后单击 "确定"Type the name of the user or group receiving permissions by using the following format: domain\account name, and then click OK.

  8. 在 " 对象 " 选项卡上的 " 应用于" 中,单击 " 仅此对象"。On the Objects tab, in Applies To, click This Object Only.

  9. 在 " 权限" 中,通过单击 " 允许 列: 列表内容"、" 读取所有属性" 和 " 读取权限",选择以下允许 ace。In Permissions, select the following Allow ACEs by clicking the Allow column: List Content, Read All Properties, and Read Permissions.

  10. 单击“确定”两次。Click OK twice.

  11. 对步骤2中列出的任何相关容器重复这些步骤。Repeat these steps for any of the relevant containers listed in Step 2.