使用組織單位物件的管理委派Delegating Administration by Using OU Objects

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

您可以使用組織單位 (Ou) 物件,例如使用者或電腦的系統管理委派組織單位指定的個人或群組中。You can use organizational units (OUs) to delegate the administration of objects, such as users or computers, within the OU to a designated individual or group. 若要委派管理,使用組織單位,將的個人或群組的您委派系統管理員權限的群組、 放入組織單位,控制物件,然後管理工作委派的組織單位加入該群組。To delegate administration by using an OU, place the individual or group to which you are delegating administrative rights into a group, place the set of objects to be controlled into an OU, and then delegate administrative tasks for the OU to that group.

Active Directory Domain Services (AD DS) 可讓您控制可在非常詳細層級委派管理工作。Active Directory Domain Services (AD DS) enables you to control the administrative tasks that can be delegated at a very detailed level. 例如,您可以指定; 中有完全控制所有物件群組僅限來建立、 delete,及管理使用者帳號組織單位; 中的權限指派另一個群組然後指派第三個群組右側來重設使用者 account 密碼。For example, you can assign one group to have full control of all objects in an OU; assign another group the rights only to create, delete, and manage user accounts in the OU; and then assign a third group the right only to reset user account passwords. 您可以讓這些權限繼承權,使它們套用至任何 Ou 的放置在子的原始組織單位。You can make these permissions inheritable so that they apply to any OUs that are placed in subtrees of the original OU.

預設 Ou 容器 AD DS 在安裝期間建立及服務的系統管理員所控制。Default OUs and containers are created during the installation of AD DS and are controlled by service administrators. 如果您仍控制這些容器服務系統管理員,是最好的作法。It is best if service administrators continue to control these containers. 如果您需要委派中 directory 物件的控制,請建立其他 Ou 和置於這些 Ou 物件。If you need to delegate control over objects in the directory, create additional OUs and place the objects in these OUs. 控制這些 Ou 委派給系統管理員適當的資料。Delegate control over these OUs to the appropriate data administrators. 這樣可以委派中 directory 物件的控制,而不變更預設的控制項給定服務的系統管理員。This makes it possible to delegate control over objects in the directory without changing the default control given to the service administrators.

樹系擁有者判斷委派給組織單位擁有者授權層級。The forest owner determines the level of authority that is delegated to an OU owner. 這的範圍可從 [建立及管理只允許控制單一類型單一中組織單位物件的屬性組織單位中的物件的能力。This can range from the ability to create and manipulate objects within the OU to only being allowed to control a single attribute of a single type of object in the OU. 授與使用者的能力隱含建立組織單位物件授與使用者的能力來管理的任何物件,使用者會建立任何屬性。Granting a user the ability to create an object in the OU implicitly grants that user the ability to manipulate any attribute of any object that the user creates. 此外,如果容器所建立的物件,使用者隱含有建立及管理任何物件的容器位於的能力。In addition, if the object that is created is a container, the user implicitly has the ability to create and manipulate any objects that are placed in the container.

在本區段中In this section