在 Azure Active Directory 域服务托管域中创建组织单位 (OU)Create an Organizational Unit (OU) in an Azure Active Directory Domain Services managed domain

Active Directory 域服务 (AD DS) 托管的域中的组织单位 (OU) 使你能够对用户帐户、服务帐户或计算机帐户等对象进行逻辑分组。Organizational units (OUs) in an Active Directory Domain Services (AD DS) managed domain let you logically group objects such as user accounts, service accounts, or computer accounts. 然后,你可以将管理员分配到特定的 OU,并应用组策略来强制实施目标配置设置。You can then assign administrators to specific OUs, and apply group policy to enforce targeted configuration settings.

Azure AD DS 托管域包括以下两个内置 OU:Azure AD DS managed domains include the following two built-in OUs:

  • AADDC 计算机 - 容器包含已加入托管域的所有计算机的计算机对象。AADDC Computers - contains computer objects for all computers that are joined to the managed domain.
  • AADDC 用户 - 包含从 Azure AD 租户同步的用户和组。AADDC Users - includes users and groups synchronized in from the Azure AD tenant.

创建和运行使用 Azure AD DS 的工作负载时,可能需要为应用程序创建服务帐户,用于为其进行身份验证。As you create and run workloads that use Azure AD DS, you may need to create service accounts for applications to authenticate themselves. 为了组织这些服务帐户,通常在托管域中创建一个自定义 OU,然后在该 OU 中创建服务帐户。To organize these service accounts, you often create a custom OU in the managed domain and then create service accounts within that OU.

在混合环境中,在本地 AD DS 环境中创建的 OU 不会与托管域同步。In a hybrid environment, OUs created in an on-premises AD DS environment aren't synchronized to the managed domain. 托管域使用平面 OU 结构。Managed domains use a flat OU structure. 所有用户帐户和组都存储在“AADDC 用户”容器中,尽管它们是从不同的本地域或林进行同步,即使你在其中配置了分层 OU 结构。All user accounts and groups are stored in the AADDC Users container, despite being synchronized from different on-premises domains or forests, even if you've configured a hierarchical OU structure there.

本文说明如何在托管域中创建 OU。This article shows you how to create an OU in your managed domain.

准备阶段Before you begin

需有以下资源和特权才能完成本文:To complete this article, you need the following resources and privileges:

自定义 OU 注意事项和限制Custom OU considerations and limitations

在托管域中创建自定义 OU 时,在用户管理和组策略应用方面可以获得额外的管理上的灵活性。When you create custom OUs in a managed domain, you gain additional management flexibility for user management and applying group policy. 与本地 AD DS 环境相比,在托管域中创建和管理自定义 OU 结构时存在一些限制和注意事项:Compared to an on-premises AD DS environment, there are some limitations and considerations when creating and managing a custom OU structure in a managed domain:

  • 若要创建自定义 OU,用户必须是“AAD DC 管理员”组的成员。To create custom OUs, users must be a member of the AAD DC Administrators group.
  • 创建自定义 OU 的用户会获得对该 OU 的管理权限(完全控制),并且是资源所有者。A user that creates a custom OU is granted administrative privileges (full control) over that OU and is the resource owner.
    • 默认情况下,AAD DC 管理员组也能充分控制自定义 OU。By default, the AAD DC Administrators group also has full control of the custom OU.
  • 将为 AADDC 用户创建默认 OU,其中包含 Azure AD 租户中所有已同步的用户帐户。A default OU for AADDC Users is created that contains all the synchronized user accounts from your Azure AD tenant.
    • 无法将用户或组从“AADDC 用户”OU 移到创建的自定义 OU。You can't move users or groups from the AADDC Users OU to custom OUs that you create. 只有在托管域中创建的用户帐户或资源才能移动到自定义 OU 中。Only user accounts or resources created in the managed domain can be moved into custom OUs.
  • 在自定义 OU 下创建的用户帐户、组、服务帐户和计算机对象无法在 Azure AD 租户中使用。User accounts, groups, service accounts, and computer objects that you create under custom OUs aren't available in your Azure AD tenant.
    • 这些对象不会在使用 Microsoft Graph API 时或在 Azure AD UI 中显示;它们仅在托管域中可用。These objects don't show up using the Microsoft Graph API or in the Azure AD UI; they're only available in your managed domain.

创建自定义 OUCreate a custom OU

若要创建自定义 OU,应使用已加入域的 VM 中的 Active Directory 管理工具。To create a custom OU, you use the Active Directory Administrative Tools from a domain-joined VM. 在 Active Directory 管理中心可查看、编辑和创建托管域(包括 OU)中的资源。The Active Directory Administrative Center lets you view, edit, and create resources in a managed domain, including OUs.

备注

若要在托管域中创建自定义 OU,需要使用 AAD DC 管理员组成员的用户帐户进行登录。To create a custom OU in a managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group.

  1. 登录到管理 VM。Sign in to your management VM. 有关如何使用 Azure 门户进行连接的步骤,请参阅连接到 Windows Server VMFor steps on how to connect using the Azure portal, see Connect to a Windows Server VM.

  2. 在“开始”屏幕中选择“管理工具”。From the Start screen, select Administrative Tools. 其中显示了可用管理工具列表,这些工具是在教程创建管理 VM 中安装的。A list of available management tools is shown that were installed in the tutorial to create a management VM.

  3. 若要创建和管理 OU,请从管理工具列表中选择“Active Directory 管理中心”。To create and manage OUs, select Active Directory Administrative Center from the list of administrative tools.

  4. 在左窗格中,选择托管域,例如 aaddscontoso.com。In the left pane, choose your managed domain, such as aaddscontoso.com. 现有 OU 和资源列表如下所示:A list of existing OUs and resources is shown:

    在 Active Directory 管理中心中选择你的托管域

  5. “任务”窗格显示在 Active Directory 管理中心的右侧。The Tasks pane is shown on the right side of the Active Directory Administrative Center. 在域下(例如 aaddscontoso.com),选择“新建”>“组织单位”。Under the domain, such as aaddscontoso.com, select New > Organizational Unit.

    选择在 Active Directory 管理中心中创建新 OU 的选项

  6. 在“创建组织单位”对话框中,指定新 OU 的名称(例如 MyCustomOu)。 In the Create Organizational Unit dialog, specify a Name for the new OU, such as MyCustomOu. 提供 OU 的简短描述,例如“服务帐户的自定义 OU”。Provide a short description for the OU, such as Custom OU for service accounts. 如果需要,还可以为 OU 设置“管理方”字段。If desired, you can also set the Managed By field for the OU. 若要创建自定义 OU,请选择“确定”。To create the custom OU, select OK.

    从 Active Directory 管理中心创建自定义 OU

  7. 返回 Active Directory 管理中心,自定义 OU 现已列出并可供使用:Back in the Active Directory Administrative Center, the custom OU is now listed and is available for use:

    可在 Active Directory 管理中心使用的自定义 OU

后续步骤Next steps

有关如何使用管理工具或创建和使用服务帐户的详细信息,请参阅以下文章:For more information on using the administrative tools or creating and using service accounts, see the following articles: