在 Azure Active Directory Domain Services 受控網域中建立組織單位(OU)Create an Organizational Unit (OU) in an Azure Active Directory Domain Services managed domain

Active Directory Domain Services (AD DS)受控網域中的組織單位(Ou)可讓您以邏輯方式將物件分組,例如使用者帳戶、服務帳戶或電腦帳戶。Organizational units (OUs) in an Active Directory Domain Services (AD DS) managed domain let you logically group objects such as user accounts, service accounts, or computer accounts. 接著,您可以將系統管理員指派給特定的 Ou,並套用群組原則來強制執行目標設定設定。You can then assign administrators to specific OUs, and apply group policy to enforce targeted configuration settings.

Azure AD DS 受控網域包含下列兩個內建的 Ou:Azure AD DS managed domains include the following two built-in OUs:

  • AADDC 電腦-包含所有已加入受控網域之電腦的電腦物件。AADDC Computers - contains computer objects for all computers that are joined to the managed domain.
  • AADDC 使用者-包含從 Azure AD 租使用者中同步處理的使用者和群組。AADDC Users - includes users and groups synchronized in from the Azure AD tenant.

當您建立和執行使用 Azure AD DS 的工作負載時,您可能需要建立服務帳戶,應用程式才能自行驗證。As you create and run workloads that use Azure AD DS, you may need to create service accounts for applications to authenticate themselves. 若要組織這些服務帳戶,您通常會在受控網域中建立自訂的 OU,然後在該 OU 內建立服務帳戶。To organize these service accounts, you often create a custom OU in the managed domain and then create service accounts within that OU.

在混合式環境中,在內部部署 AD DS 環境中建立的 Ou 不會同步處理至受控網域。In a hybrid environment, OUs created in an on-premises AD DS environment aren't synchronized to the managed domain. 受控網域會使用單層的 OU 結構。Managed domains use a flat OU structure. 所有使用者帳戶和群組都會儲存在AADDC Users容器中,儘管是從不同的內部部署網域或樹系進行同步處理,即使您已在該處設定階層式 OU 結構也一樣。All user accounts and groups are stored in the AADDC Users container, despite being synchronized from different on-premises domains or forests, even if you've configured a hierarchical OU structure there.

本文將示範如何在受控網域中建立 OU。This article shows you how to create an OU in your managed domain.

開始之前Before you begin

若要完成本文章,您需要下列資源和權限:To complete this article, you need the following resources and privileges:

自訂 OU 的考慮和限制Custom OU considerations and limitations

當您在受控網域中建立自訂 Ou 時,您可以為使用者管理和套用群組原則取得額外的管理彈性。When you create custom OUs in a managed domain, you gain additional management flexibility for user management and applying group policy. 相較于內部部署 AD DS 環境,在受控網域中建立和管理自訂 OU 結構時,有一些限制和考慮:Compared to an on-premises AD DS environment, there are some limitations and considerations when creating and managing a custom OU structure in a managed domain:

  • 若要建立自訂 Ou,使用者必須是AAD DC 系統管理員群組的成員。To create custom OUs, users must be a member of the AAD DC Administrators group.
  • 建立自訂 OU 的使用者會被授與該 OU 的系統管理許可權(完全控制),而且是資源擁有者。A user that creates a custom OU is granted administrative privileges (full control) over that OU and is the resource owner.
    • 根據預設, AAD DC 系統管理員群組也具有自訂 OU 的完全控制權。By default, the AAD DC Administrators group also has full control of the custom OU.
  • 系統會建立AADDC 使用者的預設 OU,其中包含您 Azure AD 租使用者中所有已同步處理的使用者帳戶。A default OU for AADDC Users is created that contains all the synchronized user accounts from your Azure AD tenant.
    • 您無法將使用者或群組從AADDC users OU 移至您所建立的自訂 ou。You can't move users or groups from the AADDC Users OU to custom OUs that you create. 只有在受控網域中建立的使用者帳戶或資源可以移至自訂 Ou。Only user accounts or resources created in the managed domain can be moved into custom OUs.
  • 您在自訂 Ou 底下建立的使用者帳戶、群組、服務帳戶和電腦物件,無法在您的 Azure AD 租使用者中使用。User accounts, groups, service accounts, and computer objects that you create under custom OUs aren't available in your Azure AD tenant.
    • 這些物件不會使用 Microsoft Graph API 或在 Azure AD UI 中顯示;它們僅適用于您的受控網域。These objects don't show up using the Microsoft Graph API or in the Azure AD UI; they're only available in your managed domain.

建立自訂 OUCreate a custom OU

若要建立自訂 OU,您可以使用來自已加入網域之 VM 的 Active Directory 系統管理工具。To create a custom OU, you use the Active Directory Administrative Tools from a domain-joined VM. 此 Active Directory 管理中心可讓您在受控網域(包括 Ou)中,查看、編輯和建立資源。The Active Directory Administrative Center lets you view, edit, and create resources in a managed domain, including OUs.

注意

若要在受控網域中建立自訂 OU,您必須登入屬於AAD DC 系統管理員群組成員的使用者帳戶。To create a custom OU in a managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group.

  1. 登入您的管理 VM。Sign in to your management VM. 如需如何使用 Azure 入口網站進行連線的步驟,請參閱連線到 Windows SERVER VMFor steps on how to connect using the Azure portal, see Connect to a Windows Server VM.

  2. 從 [開始] 畫面中,選取 [系統管理工具]。From the Start screen, select Administrative Tools. 已安裝在教學課程中的可用管理工具清單,以建立管理 VMA list of available management tools is shown that were installed in the tutorial to create a management VM.

  3. 若要建立和管理 Ou,請從系統管理工具清單中選取 [ Active Directory 管理中心]。To create and manage OUs, select Active Directory Administrative Center from the list of administrative tools.

  4. 在左窗格中,選擇您的受控網域,例如aaddscontoso.comIn the left pane, choose your managed domain, such as aaddscontoso.com. 隨即顯示現有 Ou 和資源的清單:A list of existing OUs and resources is shown:

    ![在 Active Directory 管理中心中選取您的受控網域

  5. [工作] 窗格會顯示在 Active Directory 管理中心的右邊。The Tasks pane is shown on the right side of the Active Directory Administrative Center. 在網域下(例如aaddscontoso.com),選取 [新增 > 組織單位]。Under the domain, such as aaddscontoso.com, select New > Organizational Unit.

    ![在 Active Directory 管理中心中選取 [建立新的 OU] 選項

  6. 在 [建立組織單位] 對話方塊中,指定新 OU 的名稱,例如MyCustomOuIn the Create Organizational Unit dialog, specify a Name for the new OU, such as MyCustomOu. 提供 OU 的簡短描述,例如服務帳戶的自訂 ouProvide a short description for the OU, such as Custom OU for service accounts. 如有需要,您也可以設定 OU 的 [管理者] 欄位。If desired, you can also set the Managed By field for the OU. 若要建立自訂 OU,請選取 [確定]To create the custom OU, select OK.

    從 Active Directory 管理中心建立自訂 OU

  7. 回到 Active Directory 管理中心,現在會列出自訂 OU,並可供使用:Back in the Active Directory Administrative Center, the custom OU is now listed and is available for use:

    可在 Active Directory 管理中心中使用的自訂 OU

後續步驟Next steps

如需有關使用系統管理工具或建立和使用服務帳戶的詳細資訊,請參閱下列文章:For more information on using the administrative tools or creating and using service accounts, see the following articles: