描述: 原为AO等组的用户从组中删除后, 保护标识符不会变更导致除Admin组外其他操作组无法对其进行帐号管理.

以下的链接为相关的说明和解决:

(一)hotfix以及受保护组标识符(dsHeuristic): http://support.microsoft.com/kb/817433/en-us

 

(二)在AD管理器中建立无法管理帐号的查询(xml):

- <QUERY>
  <NAME>All SSO can't be managed by AO</NAME>
  <DESCRIPTION />
  <DN />
  <FILTERLASTLOGON>-1</FILTERLASTLOGON>
  <LDAPQUERY>(& (&(objectCategory=user)(objectclass=user)(|(cn=7*)(cn=8*)(cn=3*))(admincount=1)))</LDAPQUERY>
  <ONELEVEL>FALSE</ONELEVEL>
  <COLUMNID>{140AB8B7-12D6-4848-B56C-DFCB51975A69}</COLUMNID>
  <DSQUERYUIDATA>030000000c00000043006f006d006d006f006e00510075006500720079000000020000000308000000480061006e0064006c00650072000000100000005ee6238ac231d011891c00a024ab2dbb030500000046006f0072006d00000010000000e33fee83d957d011b93200a024ab2dbb080000004400730051007500650072007900000002000000010900000056006900650077004d006f0064006500000004130000010d00000045006e00610062006c006500460069006c00740065007200000000000000170000004d006900630072006f0073006f00660074002e00500072006f0070006500720074007900570065006c006c0000000200000001060000004900740065006d007300000000000000020c0000005100750065007200790053007400720069006e00670000005200000020002800260028006f0062006a00650063007400430061007400650067006f00720079003d007500730065007200290028006f0062006a0065006300740063006c006100730073003d007500730065007200290028007c00280063006e003d0037002a002900280063006e003d0038002a002900280063006e003d0033002a00290029002800610064006d0069006e0063006f0075006e0074003d003100290029000000</DSQUERYUIDATA>
  </QUERY>