===== Делегирование =====
Дать права на  разблокировку объекта:\\
Write **lockoutTime**

На включение-выключение:\\
Write **userAccountControl**

Move Computer accounts between OUs:\\

In ADUC, right click the first OU and select Delegate Control.
  - Add the user or  group you want.
  - Select the “Create a custom task to delegate” option and click Next.
  - Select “Only the following objects in the folder”
  - Check the box before “Computer objects” in the list.
  - Check the box before “Create selected objects in this folder” and “Delete selected objects in this folder”. Click Next.
  - Check the box for “Write”.
  - Click Next and Finish.
  - Perform the same steps on another OU.
https://profadmins.com/tag/delegate-control-move-computer-objects-from-one-ou-to-another/

===== ADSI =====
<code powershell>
$object.attribute = "value"
# and
$object.Put("attribute", "value")
</code>
They both perform the same function in that the attribute is assigned a value. The question was whats the difference and which should you use. The question also noted that when creating objects they behave differently.

<code powershell>
$ou = [ADSI]"LDAP://ou=test,dc=Manticore,dc=org"

$user1 = $ou.create("user","cn=test39")
$user1.description = "test 39"
$user1.setinfo()
Exception calling "setinfo" with "0" argument(s): "A constraint violation occurred.
(Exception from HRESULT: 0x8007202F)"
At line:1 char:15
+ $user1.setinfo <<<< ()

$user2 = $ou.create("user","cn=test49")
$user2.Put("description", "test 49")
$user2.setinfo()

$user1 = $ou.create("user","cn=test59")
$user1.setinfo()
$user1.description = "test 59"
$user1.setinfo()

$user1 = $ou.create("user","cn=test59")
$user1.setinfo()
$user1.description = "test 59"
$user1.setinfo() 
</code>
We start as normal by creating an object for the OU to contain the user. We then use the create method to create the user.  If we try to set the description (or any other attribute) and then call setinfo() we get the error shown.  However, if we use Put() to set the attribute immediately after creation and then call setinfo() – it works!

https://richardspowershellblog.wordpress.com/2008/09/12/adsi-put-and-attributes/

===== Домашняя папка (Home folder) =====
Создать каталог, например, ''\\server\home''.

Расшарить как, например, ''\\server\home$'', права Everyone: Full control.

NTFS-права:
  * Everyone: Traverse folder/execute file, list folder/read data, read attributes, create folders/append data (This folder only)
  * Creator owner: Full control (Subfolders and files only)
  * SYSTEM: Full control
  * Administrators: Full control
  * Остальных удалить.

В AD на вкладке профиля выбрать букву и прописать всем пользователям ''\\server\home$\%username%''

https://www.petenetlive.com/KB/Article/0000739

===== Офлайн-присоединение к домену =====
<code powershell>
# На DC или админской машине (комп окажется в контейнере Computers в AD)
djoin.exe /provision /domain example.com /machine vmws-srv1 /savefile c:\temp\vmws-srv1.txt
# На сервере, который нужно подключить к домену
djoin.exe /requestodj /loadfile <Путь к файлу>\vmws-srv1.txt /windowspath c:\windows /localos
# Перезагрузить сервер, проверить подключение к домену, удалить файл
</code>