AO 受保护组 相关(留档备用)

 描述: 原为AO等组的用户从组中删除后, 保护标识符不会变更导致除Admin组外其他操作组无法对其进行帐号管理.

以下的链接为相关的说明和解决:

(一)hotfix以及受保护组标识符(dsHeuristic): http://support.microsoft.com/kb/817433/en-us

 

(二)在AD管理器中建立无法管理帐号的查询(xml):

-  < QUERY >

   < NAME > All SSO can't be managed by AO </ NAME >

   < DESCRIPTION  />

   < DN  />

   < FILTERLASTLOGON > -1 </ FILTERLASTLOGON >

   < LDAPQUERY > (& (&(objectCategory=user)(objectclass=user)(|(cn=7*)(cn=8*)(cn=3*))(admincount=1))) </ LDAPQUERY >

   < ONELEVEL > FALSE </ ONELEVEL >

   < COLUMNID > {140AB8B7-12D6-4848-B56C-DFCB51975A69} </ COLUMNID >

   < DSQUERYUIDATA > 030000000c00000043006f006d006d006f006e00510075006500720079000000020000000308000000480061006e0064006c00650072000000100000005ee6238ac231d011891c00a024ab2dbb030500000046006f0072006d00000010000000e33fee83d957d011b93200a024ab2dbb080000004400730051007500650072007900000002000000010900000056006900650077004d006f0064006500000004130000010d00000045006e00610062006c006500460069006c00740065007200000000000000170000004d006900630072006f0073006f00660074002e00500072006f0070006500720074007900570065006c006c0000000200000001060000004900740065006d007300000000000000020c0000005100750065007200790053007400720069006e00670000005200000020002800260028006f0062006a00650063007400430061007400650067006f00720079003d007500730065007200290028006f0062006a0065006300740063006c006100730073003d007500730065007200290028007c00280063006e003d0037002a002900280063006e003d0038002a002900280063006e003d0033002a00290029002800610064006d0069006e0063006f0075006e0074003d003100290029000000 </ DSQUERYUIDATA >

   </ QUERY >

 

(三) AO无法管理帐号说明(blog): http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.active_directory/2006-11/msg01452.html

 

转载于:https://blog.51cto.com/xrbenbeba/477697