默认的Domain Users组的成员,是可以在AD中创建10个计算机账号的,这10个计算机账号,包括:将新的计算机加入域;将域中的计算机退域后改名再加入域。
如果希望授权给某些用户,让他们可以不受限制的将计算机加入域,可以参考以下方法通过组策略来实现:
1.使用组策略对象编辑器编辑:Default Domain Policy
2.依次找到:Computer Configuration - Windows Setting - Security Setting - Local Policies - User Rights Assignment
3.在右边找到:Add workstations to domain,并右键查看属性
4.将需要授权的用户或者组添加进去(默认只有Domain Admins)。待组策略刷新后,该处的用户和组就能够不受限制的将计算机加入域了。
附Add workstations to domain的策略描述:
Add workstations to domain
This security setting determines which groups or users can add workstations to a domain.
This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.
Adding a computer account to the domain allows the computer to participate in Active Directory-based networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory.
Default: Authenticated Users on domain controllers.
Note:
Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts.
In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.
如果希望授权给某些用户,让他们可以不受限制的将计算机加入域,可以参考以下方法通过组策略来实现:
1.使用组策略对象编辑器编辑:Default Domain Policy
2.依次找到:Computer Configuration - Windows Setting - Security Setting - Local Policies - User Rights Assignment
3.在右边找到:Add workstations to domain,并右键查看属性
4.将需要授权的用户或者组添加进去(默认只有Domain Admins)。待组策略刷新后,该处的用户和组就能够不受限制的将计算机加入域了。
附Add workstations to domain的策略描述:
Add workstations to domain
This security setting determines which groups or users can add workstations to a domain.
This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.
Adding a computer account to the domain allows the computer to participate in Active Directory-based networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory.
Default: Authenticated Users on domain controllers.
Note:
Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts.
In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.
转载于:https://blog.51cto.com/doubletang/351021
2050
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
