已在 Lync Server 2013 中移除已驗證的使用者許可權Authenticated user permissions are removed in Lync Server 2013

 

主題上次修改日期: 2013-02-21Topic Last Modified: 2013-02-21

在鎖定的 Active Directory 環境中,會從預設 Active Directory 容器 (包括「使用者」、「設定」或「系統」,以及儲存「使用者」和「電腦」物件的組織單位 (OU)) 中移除已驗證的使用者存取控制項目 (ACE)。In a locked-down Active Directory environment, authenticated user access control entries (ACEs) are removed from the default Active Directory containers, including the Users, Configuration or System, and organizational units (OUs) where User and Computer objects are stored. 移除已驗證的使用者 ACE,可防止對 Active Directory 資訊進行讀取存取。Removing authenticated user ACEs prevents read access to Active Directory information. 不過,移除 Ace 會產生 Lync Server 2013 的問題,因為此 Ace 取決於這些容器的讀取權限,可讓使用者執行網域準備作業。However, removing the ACEs creates issues for Lync Server 2013 because it depends on read permissions to these containers to allow users to run domain preparation.

在此情況下,Domain Admins 群組的成員資格 (執行網域準備、伺服器啟動及集區建立所需的成員資格) 就不會再授與預設容器中所儲存 Active Directory 資訊的讀取存取權。您必須手動授與樹系根網域中各種容器的讀取存取權限,才能檢查必要的樹系準備程序是否完成。In this situation, membership in the Domain Admins group, which is required to run domain preparation, server activation, and pool creation, no longer grants read access to Active Directory information stored in the default containers. You must manually grant read-access permissions on various containers in the forest root domain to check that the prerequisite forest preparation procedure is complete.

若要啟用使用者,以便在任何非樹系根網域上執行網域準備、伺服器啟動或集區建立作業,您有以下的選項:To enable a user to run domain preparation, server activation, or pool creation on any non-forest root domain, you have the following options:

  • 使用屬於 Enterprise Admins 群組成員的帳戶來執行網域準備作業。Use an account that is a member of the Enterprise Admins group to run domain preparation.

  • 使用為 Domain Admins 群組成員的帳戶,並將樹系根網域中下列每個容器的讀取存取權限授與此帳戶:Use an account that is a member of the Domain Admins group and grant this account read-access permissions on each of the following containers in the forest root domain:

    • 網域Domain

    • 設定或系統Configuration or System

如果您不想要使用屬於 Enterprise Admins 群組成員的帳戶來執行網域準備或其他設定工作,請將樹系根中相關容器的讀取存取權明確授與想要使用的帳戶。If you do not want to use an account that is a member of the Enterprise Admins group to run domain preparation or other Setup tasks, explicitly grant the account you want to use read access on the relevant containers in the forest root.

將樹系根網域中容器的讀取存取權限授與使用者To give users read-access permissions on containers in the forest root domain

  1. 使用屬於樹系根網域之 Domain Admins 群組成員的帳戶,登入已加入樹系根網域的電腦。Log on to the computer joined to the forest root domain with an account that is a member of the Domain Admins group for the forest root domain.

  2. 為樹系根網域執行 adsiedit.msc。Run adsiedit.msc for the forest root domain.

    如果已從「網域」、「設定」或「系統」容器中移除已驗證的使用者 ACE,則必須授與容器的唯讀權限 (如下列各步驟所述)。If authenticated user ACEs were removed from the Domain, Configuration, or System container, you must grant read-only permissions to the container, as described in the following steps.

  3. 用滑鼠右鍵按一下容器,然後按一下 [內容]Right-click the container, and then click Properties.

  4. 按一下 [安全性] 索引標籤。Click the Security tab.

  5. 按一下 [進階]****。Click Advanced.

  6. 在 [使用權限]**** 索引標籤上,按一下 [新增]****。On the Permissions tab, click Add.

  7. 使用下列格式,輸入要接收許可權的使用者或群組名稱:,然後 domain\account name 按一下 [確定]Type the name of the user or group receiving permissions by using the following format: domain\account name, and then click OK.

  8. [物件] 索引標籤的 [套用到] 中,按一下 [只有此物件]On the Objects tab, in Applies To, click This Object Only.

  9. [使用權限] 中,按一下 [允許] 欄以選取下列「允許 ACE」:[清單內容][讀取全部內容][讀取權限]In Permissions, select the following Allow ACEs by clicking the Allow column: List Content, Read All Properties, and Read Permissions.

  10. 按兩次 [確定]Click OK twice.

  11. 針對步驟 2 中列出的任何相關容器,重複執行上述步驟。Repeat these steps for any of the relevant containers listed in Step 2.