預設容器和 Ou 的管理委派Delegating Administration of Default Containers and OUs

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

每個 Active Directory domain 包含一組標準容器和 Active Directory Domain Services (AD DS) 安裝期間建立組織單位 (Ou)。Every Active Directory domain contains a standard set of containers and organizational units (OUs) that are created during the installation of Active Directory Domain Services (AD DS). 其中包括下列動作:These include the following:

  • 網域控制站,做為階層根容器Domain container, which serves as the root container to the hierarchy

  • 含有預設服務的系統管理員帳號建容器,Built-in container, which holds the default service administrator accounts

  • 網域中建立之新使用者帳號及群組的預設位置的使用者容器Users container, which is the default location for new user accounts and groups created in the domain

  • 容器的電腦,這是新電腦帳號的預設位置建立網域中Computers container, which is the default location for new computer accounts created in the domain

  • 網域控制站組織單位,也就是帳號網域控制站電腦帳號電腦的預設位置Domain Controllers OU, which is the default location for the computer accounts for domain controllers computer accounts

樹系擁有者控制這些預設容器和 Ou。The forest owner controls these default containers and OUs.

網域容器Domain container

網域容器是根容器階層加入網域。The domain container is the root container of the hierarchy of a domain. 變更原則或此容器存取控制清單 (ACL) 可能有全網域影響。Changes to the policies or the access control list (ACL) on this container can potentially have domain-wide impact. 不委派控制此容器。必須服務系統管理員,控制它。Do not delegate control of this container; it must be controlled by the service administrators.

使用者和電腦容器Users and computers containers

當您執行的 Windows Server 2003 的就地網域升級到 Windows Server 2008 時,現有的使用者及電腦會自動放入的使用者及電腦容器。When you perform an in-place domain upgrade from Windows Server 2003 to Windows Server 2008 , existing users and computers are automatically placed into the users and the computers containers. 如果您要建立新的 Active Directory domain 的使用者與電腦容器的所有新的帳號及非-網域控制站電腦帳號網域中的預設位置。If you are creating a new Active Directory domain, the users and computers containers are the default locations for all new user accounts and non-domain-controller computer accounts in the domain.

重要

如果您需要委派使用者或電腦的控制,請不要修改的使用者及電腦的預設設定容器。If you need to delegate control over users or computers, do not modify the default settings on the users and computers containers. 請建立新的 Ou (視) 並新 Ou 其預設容器間移動使用者與電腦物件。Instead, create new OUs (as needed) and move the user and computer objects from their default containers and into the new OUs. 所需的新 Ou,控制委派。Delegate control over the new OUs, as needed. 我們建議您修改由誰控制預設容器。We recommend that you not modify who controls the default containers.

此外,您無法適用於群組原則設定預設的使用者與電腦容器。Also, you cannot apply Group Policy settings to the default users and computers containers. 使用者和電腦適用於群組原則,以建立新的 Ou 並將其中使用者與電腦物件。To apply Group Policy to users and computers, create new OUs and move the user and computer objects into those OUs. 適用於群組原則設定的新 Ou。Apply the Group Policy settings to the new OUs.

(選擇性) 您可以重新導向建立位於預設放在您選擇的容器至容器中的物件。Optionally, you can redirect the creation of objects that are placed in the default containers to be placed in containers of your choice.

已知使用者和群組建帳號Well-known users and groups and built-in accounts

根據預設,幾個已知使用者和群組、 建帳號會建立新的網域中。By default, several well-known users and groups and built-in accounts are created in a new domain. 我們建議您管理這些帳號,仍會在控制服務系統管理員。We recommend that management of these accounts remains under the control of the service administrators. 不委派給不服務系統管理員的個人這些帳號管理。Do not delegate management of these accounts to an individual who is not a service administrator. 下表列出的知名使用者和群組和建帳號需要維持受控制的服務系統管理員。The following table lists the well-known users and groups and built-in accounts that need to remain under the control of the service administrators.

已知使用者和群組Well-known users and groups 建帳號Built-in accounts
憑證的發行者Cert Publishers

網域控制站Domain Controllers

群組原則 Creator 擁有者Group Policy Creator Owners

KRBTGTKRBTGT

網域來賓Domain Guests

系統管理員Administrator

網域系統管理員 」Domain Admins

架構系統管理員 (僅限樹系根網域)Schema Admins (forest root domain only)

企業的系統管理員 (僅限樹系根網域)Enterprise Admins (forest root domain only)

使用者網域Domain Users
系統管理員Administrator

客體Guest

來賓Guests

Account 電信業者Account Operators

系統管理員Administrators

備份電信業者Backup Operators

連入森林信任建造商Incoming Forest Trust Builders

列印電信業者Print Operators

Windows 2000 相容存取Pre-Windows 2000 Compatible Access

伺服器電信業者Server Operators

使用者Users

網域控制站組織單位Domain Controller OU

當網域控制站加入網域時,其電腦物件會自動新增到網域控制站組織單位。When domain controllers are added to the domain, their computer objects are automatically added to the Domain Controller OU. 這個組織單位已套用原則的預設設定。This OU has a default set of policies applied to it. 若要確保這些原則一律套用到所有網域控制站,建議您無法將電腦物件的網域控制站退出這個組織單位。To ensure that these policies are applied uniformly to all domain controllers, we recommend that you not move the computer objects of the domain controllers out of this OU. 套用預設原則可能會造成網域控制站無法正常運作。Failure to apply the default policies can cause a domain controller to fail to function properly.

根據預設,服務管理員控制此組織單位。By default, the service administrators control this OU. 不委派給服務系統管理員以外的人控制此組織單位。Do not delegate control of this OU to individuals other than the service administrators.