Account Ou 和資源 Ou 的管理委派Delegating Administration of Account OUs and Resource OUs

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Account 組織單位 (Ou) 可能包含使用者、 群組與電腦物件。Account organizational units (OUs) contain user, group, and computer objects. 資源 Ou 包含資源和帳號,是負責管理那些資源。Resource OUs contain resources and the accounts that are responsible for managing those resources. 樹系擁有者負責建立組織單位結構管理這些物件和資源,以及控制該結構委派給組織單位擁有者。The forest owner is responsible for creating an OU structure to manage these objects and resources and for delegating control of that structure to the OU owner.

Account Ou 的管理委派Delegating administration of account OUs

如果需要建立及修改使用者、 群組與電腦物件,委派 account 組織單位結構資料系統管理員。Delegate an account OU structure to data administrators if they need to create and modify user, group, and computer objects. Account 組織單位結構是子樹 Ou 的每個 account 類型必須獨立控制。The account OU structure is a subtree of OUs for each account type that must be independently controlled. 例如,組織單位擁有者可以委派特定控制各種資料系統管理員子女 ou 服務帳號負責組織單位使用者、 電腦、 群組中。For example, the OU owner can delegate specific control to various data administrators over child OUs in an account OU for users, computers, groups, and service accounts.

下圖顯示組織單位結構 account 的一個例子。The following illustration shows one example of an account OU structure.

管理委派

下表列出,並告訴您,您可以建立組織單位結構 account 可能子女 Ou。The following table lists and describes the possible child OUs that you can create in an account OU structure.

組織單位OU 用途Purpose
使用者Users 包含帳號非的人員。Contains user accounts for nonadministrative personnel.
服務帳號Service Accounts 需要存取權的網路資源部分服務執行帳號。Some services that require access to network resources run as user accounts. 這個組織單位是不同的服務帳號建立組織單位,使用者中所包含的使用者帳號。This OU is created to separate service user accounts from the user accounts contained in the users OU. 此外,在不同的 Ou 將不同類型的帳號可讓您管理依據他們特定的系統需求。Also, placing the different types of user accounts in separate OUs enables you to manage them according to their specific administrative requirements.
電腦Computers 包含帳號網域控制站以外的電腦。Contains accounts for computers other than domain controllers.
群組Groups 包含除了管理群組分開管理所有類型的群組。Contains groups of all types except for administrative groups, which are managed separately.
系統管理員Admins 使用者和群組帳號包含資料系統管理員中 account 組織單位結構讓他們從一般的使用者分開進行管理。Contains user and group accounts for data administrators in the account OU structure to allow them to be managed separately from regular users. 讓稽核這個組織單位,讓您可以變更管理使用者和群組。Enable auditing for this OU so that you can track changes to administrative users and groups.

下圖顯示 account 組織單位結構管理群組設計的其中一個範例。The following illustration shows one example of an administrative group design for an account OU structure.

管理委派

管理子女 Ou 群組會授與完全控制只能透過種特定物件他們所負責管理。Groups that manage the child OUs are granted full control only over the specific class of objects that they are responsible for managing.

您用來控制組織單位結構中的委派群組的類型根據帳號位於何處和目的地的相對,管理組織單位結構。The types of groups that you use to delegate control within an OU structure are based on where the accounts are located relative to the OU structure that is to be managed. 系統管理員使用者帳號和組織單位結構所有存在於單一網域中,如果您使用委派建立群組必須全域群組。If the admin user accounts and the OU structure all exist within a single domain, the groups that you create to use for delegation must be global groups. 如果您的組織管理自己帳號,並有一個以上的地理區域中的部門,您可能會資料系統管理員負責管理帳號 Ou 一個以上的網域中的群組。If your organization has a department that manages its own user accounts and exists in more than one geographical region, you might have a group of data administrators who are responsible for managing account OUs in more than one domain. 如果所有的資料系統管理員的使用者存在單一網域中,您有多個您要委派控制項的網域中的結構組織單位,將這些系統帳號通用群組成員,並委派組織單位結構每個網域的全域群組中的控制。If the accounts of the data administrators all exist in a single domain and you have OU structures in multiple domains to which you need to delegate control, make those administrative accounts members of global groups and delegate control of the OU structures in each domain to those global groups. 如果您將委派組織單位結構控制資料的系統管理員帳號來自多個網域,您必須使用通用群組。If the data administrators accounts to which you delegate control of an OU structure come from multiple domains, you must use a universal group. 萬用群組可以包含使用者網域不同,因此,它們可以用來委派在多個網域控制。Universal groups can contain users from different domains, and therefore, they can be used to delegate control in multiple domains.

資源 Ou 的管理委派Delegating administration of resource OUs

資源 Ou 可用來管理資源的存取權。Resource OUs are used to manage access to resources. 資源組織單位擁有者建立電腦帳號加入網域包含資源,例如檔案共用、 資料庫和印表機的伺服器。The resource OU owner creates computer accounts for servers that are joined to the domain that include resources such as file shares, databases, and printers. 資源組織單位擁有者也會建立控制那些資源群組。The resource OU owner also creates groups to control access to those resources.

下圖顯示資源組織單位兩個位置。The following illustration shows the two possible locations for the resource OU.

管理委派

資源組織單位可能位於網域根下,或為子女的組織單位管理階層對應 account 組織單位組織單位。The resource OU can be located under the domain root or as a child OU of the corresponding account OU in the OU administrative hierarchy. 資源 Ou 不需要任何標準子女 Ou。Resource OUs do not have any standard child OUs. 電腦及群組位於直接資源組織單位。Computers and groups are placed directly in the resource OU.

資源組織單位擁有者組織單位中的物件的擁有,但不是擁有組織單位容器本身。The resource OU owner owns the objects within the OU but does not own the OU container itself. 資源組織單位擁有者只能管理電腦及群組物件。無法建立組織單位中的物件其他種類,無法建立子女 Ou。Resource OU owners manage only computer and group objects; they cannot create other classes of objects within the OU, and they cannot create child OUs.

注意

建立者或物件的擁有者對無論繼承父容器的權限的物件設定存取控制清單 (ACL) 的功能。The creator or owner of an object has the ability to set the access control list (ACL) on the object regardless of the permissions that are inherited from the parent container. 如果資源組織單位擁有者可以重設 ACL 組織單位,該擁有者可以建立組織單位,包括使用者任何種物件。If a resource OU owner can reset the ACL on an OU, that owner can create any class of object in the OU, including users. 基於這個原因,以建立 Ou 不允許的資源組織單位擁有者。For this reason, resource OU owners are not permitted to create OUs.

建立組織單位網域中每個資源,代表資料管理員負責管理 content 組織單位的全域群組。For each resource OU in the domain, create a global group to represent the data administrators who are responsible for managing the content of the OU. 此群組擁有透過群組和電腦物件組織單位,但不是會透過組織單位容器本身完整控制權。This group has full control over the group and computer objects in the OU but not over the OU container itself.

下圖顯示資源組織單位管理群組設計。The following illustration shows the administrative group design for a resource OU.

管理委派

將電腦帳號放入資源組織單位讓組織單位 account 物件的擁有者控制,但不會電腦的系統管理員讓組織單位擁有者。Placing the computer accounts into a resource OU gives the OU owner control over the account objects but does not make the OU owner an administrator of the computers. 在 Active Directory domain,網域管理群組,預設會放在所有的電腦上的本機系統管理員群組。In an Active Directory domain, the Domain Admins group is, by default, placed in the local Administrators group on all computers. 也就是服務系統管理員可以控制那些電腦。That is, service administrators have control over those computers. 如果資源組織單位擁有者需要管理控制其 Ou 在的電腦,樹系擁有者套用限制群組群組原則中該組織單位的電腦上讓資源組織單位擁有者的系統管理員群組成員。If resource OU owners require administrative control over the computers in their OUs, the forest owner can apply a Restricted Groups Group Policy to make the resource OU owner a member of the Administrators group on the computers in that OU.