建立組織單位設計Creating an Organizational Unit Design

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

樹系擁有負責建立組織單位(組織單位)設計的網域。Forest owners are responsible for creating organizational unit (OU) designs for their domains. 建立組織單位設計包含設計組織單位結構,指派組織單位擁有者的角色,以及建立 account 和 Ou 資源。Creating an OU design involves designing the OU structure, assigning the OU owner role, and creating account and resource OUs.

一開始設計,可讓的管理委派組織單位結構。Initially, design your OU structure to enable delegation of administration. 組織單位設計完成時,您可以建立其他組織單位結構應用程式的群組原則來的使用者與電腦及限制可見性的物件。When the OU design is complete, you can create additional OU structures for the application of Group Policy to the users and computers and to limit the visibility of objects. 如需詳細資訊,請查看 [設計基礎結構群組原則 (http://go.microsoft.com/fwlink/?LinkId=106655)。For more information, see Designing a Group Policy Infrastructure (http://go.microsoft.com/fwlink/?LinkId=106655).

組織單位擁有者的角色OU owner role

樹系擁有者會指定每個組織單位,您的網域設計組織單位擁有者。The forest owner designates an OU owner for each OU that you design for the domain. 組織單位擁有者的資料管理員負責控制子樹 Active Directory Domain Services (AD DS) 中的物件。OU owners are data managers who control a subtree of objects in Active Directory Domain Services (AD DS). 如何管理委派,並且如何原則對其組織單位中的物件,就可以控制組織單位擁有者。OU owners can control how administration is delegated and how policy is applied to objects within their OU. 它們也可以建立新子樹和委派 Ou 子這些樹中的管理。They can also create new subtrees and delegate administration of OUs within those subtrees.

不擁有組織單位擁有者或控制 directory 服務的作業,因為您可以分開擁有權和管理 directory 服務的擁有權和物件、管理數量具有高層級的存取權限的服務系統管理員。Because OU owners do not own or control the operation of the directory service, you can separate ownership and administration of the directory service from ownership and administration of objects, reducing the number of service administrators who have high levels of access.

Ou 提供管理自己的系統和控制在 directory 物件的可見性的方法。OUs provide administrative autonomy and the means to control visibility of objects in the directory. Ou 提供隔離的其他資料的系統管理員,但它們並不提供隔離的服務的系統管理員。OUs provide isolation from other data administrators, but they do not provide isolation from service administrators. 雖然組織單位擁有者可以控制物件子樹,樹系擁有者會保留所有子完整控制權。Although OU owners have control over a subtree of objects, the forest owner retains full control over all subtrees. 如此一來更正錯誤,例如存取控制 (ACL,) 清單中的錯誤和取回委派的子資料系統管理員結束時的樹系擁有者。This enables the forest owner to correct mistakes, such as an error in an access control list (ACL), and to reclaim delegated subtrees when data administrators are terminated.

Account Ou 和資源 OuAccount OUs and resource OUs

Account Ou 可能包含使用者、群組與電腦物件。Account OUs contain user, group, and computer objects. 樹系擁有必須建立組織單位結構管理這些物件,然後將控制結構委派給該組織單位擁有者。Forest owners must create an OU structure to manage these objects and then delegate control of the structure to the OU owner. 如果您要部署新的網域 AD DS,建立網域 account 組織單位,讓您可以委派帳號網域中的控制。If you are deploying a new AD DS domain, create an account OU for the domain so that you can delegate control of the accounts in the domain.

資源 Ou 包含資源和帳號,是負責管理那些資源。Resource OUs contain resources and the accounts that are responsible for managing those resources. 樹系擁有者也是負責建立組織單位結構管理這些資源,以及控制該結構委派給組織單位擁有者。The forest owner is also responsible for creating an OU structure to manage these resources and for delegating control of that structure to the OU owner. 建立資源 Ou 視需要為每個群組中組織的資料與設備自主性管理的需求。Create resource OUs as needed based on the requirements of each group within your organization for autonomy in the management of data and equipment.

針對每個網域組織單位設計文件Documenting the OU design for each domain

組合設計用來控制樹系的資源委派組織單位結構團隊。Assemble a team to design the OU structure that you use to delegate control over resources within the forest. 樹系擁有者可能會參與設計程序,而且必須核准組織單位設計。The forest owner might be involved in the design process and must approve the OU design. 您也可能需要至少服務系統管理員,以確認設計無效。You might also involve at least one service administrator to ensure that the design is valid. 其他設計團隊參與者可能會包含之資料系統管理員負責管理他們的擁有者 Ou 和組織單位會運作。Other design team participants might include the data administrators who will work on the OUs and the OU owners who will be responsible for managing them.

請務必文件您組織單位設計。It is important to document your OU design. 想要建立 Ou 的清單。List the names of the OUs that you plan to create. 與每個組織單位的文件類型組織單位,組織單位擁有者、家長組織單位(如果有的話),以及該組織單位來源。And, for each OU, document the type of OU, the OU owner, the parent OU (if applicable), and the origin of that OU.

試算表列出您的組織單位設計協助您,下載 Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip 從工作協助工具的 Windows Server 2003 部署套件 (http://go.microsoft.com/fwlink/?LinkID=102558) 以及開放」檢測軍人 Ou 的每個網域」(DSSLOGI_9.doc)。For a worksheet to assist you in documenting your OU design, download Job_Aids_Designing_and_Deploying_Directory_and_Security_Services.zip from Job Aids for Windows Server 2003 Deployment Kit (http://go.microsoft.com/fwlink/?LinkID=102558) and open "Identifying OUs for Each Domain" (DSSLOGI_9.doc).

在本區段中In this section