根据添加的用户将计算机对象放置在OU中。

Question

是否有一种方法可以根据加入域的用户将计算机自动放置在特定的OU中？例如，我有5个OU，站点管理员可以将PC添加到域，但不能在OU之外管理AD的任何方面，我们希望防止将计算机移动到正确的OU。

我知道在AD中改变新计算机的全球位置的能力，以及在正确的OU中预加它们的能力，但是如果它存在的话，我会寻找更具体的东西。

Answer 1

让他们使用netdom将机器连接到他们管理的特定OU：

netdom help join
The syntax of this command is:


NETDOM JOIN machine /Domain:domain [/OU:ou path] [/UserD:user]
           [/PasswordD:[password | *]]
           [/UserO:user] [/PasswordO:[password | *]]
           [/PasswordM:[password | *]]
           [/ReadOnly]
           [/REBoot[:Time in seconds]]
           [/SecurePasswordPrompt]

NETDOM JOIN Joins a workstation or member server to the domain.

machine is the name of the workstation or member server to be joined

/Domain         Specifies the domain which the machine should join. You
                can specify a particular domain controller by entering
                /Domain:domain\dc. When /ReadOnly option is used, you
                must specify a domain controller.

/UserD          User account used to make the connection with the domain
                specified by the /Domain argument

/PasswordD      Password of the user account specified by /UserD.  A * means
                to prompt for the password

/UserO          User account used to make the connection with the machine to
                be joined

/PasswordO      Password of the user account specified by /UserO.  A * means
                to prompt for the password

/OU             Organizational unit under which to create the machine account.
                This must be a fully qualified RFC 1779 DN for the OU.
                If not specified, the account will be created under the default
                organization unit for machine objects for that domain.

/PasswordM      Password of the pre-created computer account, whose name is
                specified by the machine parameter. A * means to prompt
                for the password. This option must be used with /ReadOnly
                option.

/ReadOnly       Perform a domain join using a pre-created computer account and
                without performing any writes to a domain controller. This
                option therefore, does not require a writable domain controller.
                You must specify the domain controller (using /Domain option)
                and computer account password (using /PasswordM option)
                when the option is used. This option cannot be used with /OU
                option.

/REBoot         Specifies that the machine should be shutdown and automatically
                rebooted after the Join has completed.  The number of seconds
                before automatic shutdown can also be provided.  Default is
                30 seconds

/SecurePasswordPrompt
                Use secure credentials popup to specify credentials. This
                option should be used when smartcard credentials need to be
                specified. This option is only in effect when the password
                value is supplied as *

Windows Professional machines with the ForceGuest setting enabled (which is the
default for machines not joined to a domain during setup) cannot be remotely
administered. Thus the join operation must be run directly on the machine
when the ForceGuest setting is enabled.

When joining a machine running Windows NT version 4 or before to the domain
the operation is not transacted.  Thus, a failure during the operation could
leave the machine in an undetermined state with respect to the domain it is
joined to.

The act of joining a machine to the domain will create an account for the
machine on the domain if it does not already exist.


NETDOM HELP command | MORE displays Help one screen at a time.

Answer 2

不确定什么比在正确的OU中预分阶段计算机对象更具体.如果您已经将此权限委托给管理员，这将是最快/最简单的方法。您可以像Jim指出的那样使用netdom命令，但这需要每次输入正确的LDAP路径，这很容易出错。

编辑：

如果您有一个服务器2008 R2 DC，并且正在添加服务器2008 R2服务器或Windows 7客户端，另一种选择是使用脱机域连接。

管理员必须在Windows7或Server 2008 R2上使用以下方法提供计算机对象：

djoin /provision /Domain <domain> /Machine <PCName> /MachineOU <ldap Path> /Savefile <PCName>.txt

然后，它们可以将文件复制到要添加和运行的计算机上：

djoin /RequestODJ /loadfile <PCName>.txt /Windowspath C:\Windows 

这可以用于在没有网络连接的情况下将PC添加到域。

Answer 3

您可以使用active目录中的委托控件功能对希望您的人将其计算机放入的每个特定OU应用权限。第一，警告，他们不能允许在域中的其他地方添加计算机对象，否则，它将选择它找到的第一个OU (我认为！！)。

例如，假设您有一个名为Other_Computers的OU。1.右键单击该控件，选择“委托控件”，单击“下一步”，然后选择要将控件委托给的用户。

1. 然后就变得棘手了，您需要选择“to Delegate”，而不是使用股票委托任务。
2. 然后选择“仅此文件夹中的对象”并检查“计算机对象”。
3. 然后选中“在此文件夹中创建选定对象”(如果希望“删除该文件夹中选定的对象”，也可以选择“删除所选对象”)，然后单击“下一步”。
4. 然后，在下一个屏幕上，您必须选择“Createall子对象”(如果选择删除文件夹中的所有子对象，也可以删除所有的子对象)。
5. 然后下一个，完成，你完成了。

一旦这样做了，假设用户无权在域中的其他地方添加计算机对象，那么它们添加的任何计算机都将自动添加到该OU中。