Shulou(Shulou.com)06/01 Report--

In windows, how to make the activity directory domain join the domain permission delegation, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

I intend to use delegation when joining the domain, but I can't find the task of "join computer to domain". There are only other tasks, such as adding users and viewing information, which are not in common tasks. The system is sp1 of win2003 Enterprise Edition. When you join the domain with the account with delegated permissions and the account of the general users group, you are prompted to deny access. I don't know why.

Answer: according to your description, my understanding of this question is that when you delegate control permissions in a domain, you do not see the "join a computer to a domain" permission. Please let me know if my understanding is wrong.

This may be that you delegate control on OU, and you can see the "join computer to domain" permission only if you delegate control at the domain level, because joining a domain is for a domain, not for an OU, so this option is only visible at the domain level. It is recommended that you delegate permissions again, add the "join computer to domain" permission, and join the domain using the delegated account to see if there are any problems.

This account has permission to join the domain for all ou in this domain. Can you only restrict him to join the domain in a certain ou?

-simple

To delegate permissions to join a domain for a specific OU, you must customize the delegate task. The steps are as follows:

1. Turn on Active Directory user and computer Management.

two。 Expand OU, right-click on the OU to be delegated, and select delegation Control.

3. According to the wizard, select the group to delegate permissions, and click next.

4. Select create a custom task to delegate, and click next.

5. Click the following objects in the folder and select the following options from the list box:

Computer object

Create selected objects in this folder

Delete selected objects in this folder

6. Click next, and in the permissions list box, select the following options:

Read

Write

Reset password

Verify that DNS hostname is written

Read and Write account restrictions

Verify that the write to the service principal name

7. Click next and click finish.

When a computer joins a domain, the computer account is stored in the Computers container by default, so when joining a domain, you must first create a computer object in the OU before joining the domain, otherwise you cannot join the domain. Or use Netdom to specify the OU of the computer object that is created when you join the domain.

The reason for the denial of access is that ordinary domain users cannot write to the computers container or the corresponding OU, so they can be given write permission to the corresponding domain account.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.