在活动目录中如何实现组的嵌套?

感谢您使用微软产品。

以下是组的概念，您的要求因该可以实现。 关键是您如何设计域模型和设计组。

Another aspect of the logical planning process for Active Directory is the
concept of groups. In Windows NT 4.0, two basic types of groups were available
to a network administrator, local and global. With the limitations inherent in
this structure, Windows 2000 now provides increased functionality and
flexibility for network administrators with the following groups:

- Groups with local scope (also called local groups)

- Groups with domain local scope (also called domain local groups)

- Groups with global scope (also called global groups)

- Groups with universal scope (also called universal groups)

An important change to note is that global groups can now contain other global
groups. While global groups are still used to collect users, the ability to
place one group inside another allows an administrator to place them anywhere in
a forest for easier maintenance. However, global groups can only contain users
and groups from a domain in the Active Directory forest.

Because many networks may contain a mixture of Windows 2000 and Windows NT 4.0
servers, you must determine the number and type of domains on your network and
which of those domains are mixed-mode or native-mode before you create groups:

- Mixed-mode domain. The Windows 2000 operating system installs, by default, in
a mixed-mode network configuration. A mixed-mode domain is a networked set of
computers running both Windows NT 4.0 and Windows 2000 domain controllers.
(You can also have a mixed-mode domain running only Windows 2000 domain
controllers.)

- Native-mode domain. You can convert a domain to native mode when it contains
only Windows 2000 Server domain controllers.

The universal group (new for Windows 2000) can contains all other groups and
users from any tree in the forest and can be used with any Access Control List
(ACL) within the forest.

Global, domain-local, and universal groups can be combined to control access to
network resources. The basic use of global groups is for organizing users into
administrative containers that represent their respective domains. Universal
groups are used to contain the global groups from the various domains to further
manage the domain hierarchy when granting permissions. Global groups can be
added to universal groups and then assigned permissions to domain-local groups
where the resource physically exists. By structuring groups this way,
administrators can add or remove users from each domain's global group to
control access to resources throughout the enterprise without having to make
changes in multiple locations.

希望这些讯息对您有帮助。

- 微软全球技术中心 DTA技术支持

本贴子仅供Codefund的用户作为参考信息使用。其内容不具备任何法律保障。您需要考虑到并承担使用此信息可能带来的风险。具体事项可参见使用条款 (http://www.Codefund.cn/microsoft/terms.shtm)。

你可以使用OU和GROUP联合使用的方法