windows 2003域內計算機無法添加打印機-組策略限制

 修改下列三項策略,解決這個問題:

在GPMC中新建一條策略做如下修改
1。計算機配置 - Windows設置 - 安全設置 - 本地策略 - 用戶權限分配 - 裝載和卸載設備驅動程序
由 沒有定義 改爲 Domain Users

2。計算機配置 - 管理模板 - 打印機 - 不允許安裝使用內核模式驅動程序的打印機
由 未被配置 改爲 己禁用

3。用戶配置 - 管理模板 - 控制面板 - 打印機 - 指向和打印限制

由 未被配置 改爲 己禁用

 

另外一個方法，把域用戶先添加到本地管理員，按照完後再推出。不推薦這個方法，起不到策略部署

 

 

 

 

 

 Users cannot join a computer to a domain

To resolve the issue in which users cannot join a computer to a domain, follow these steps:

1. Click Start, click Run, type dsa.msc, and then click OK.

2. In the task pane, expand the domain node.

3. Locate and right-click the OU that you want to modify, and then click Delegate Control.

4. In the Delegation of Control Wizard, click Next.

5. Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.

6. In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.

7. Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.

8. Click Next.

9. In the Permissions list, click to select the following check boxes:

   • Reset Password

   • Read and write Account Restrictions

   • Validated write to DNS host name

   • Validated write to service principal name

10. Click Next, and then click Finish.

11. Close the "Active Directory Users and Computers" MMC snap-in.

Users cannot reset passwords

To resolve the issue in which users cannot reset passwords, follow these steps:

1. Click Start, click Run, type dsa.msc, and then click OK.

2. In the task pane, expand the domain node.

3. Locate and right-click Builtin, and then click Properties.

4. In the Builtin Properties dialog box, click the Security tab.

5. In the Group or user names list, click Account Operators.

6. Under Permissions for Account Operators, click to select the Allow check box for the Read permission, and then click OK.
   
   Note If you want to use a group or a user other than the Account Operators group, repeat steps 5 and 6 for that group or that user.

7. Close the "Active Directory Users and Computers" MMC snap-in.