Putting computer object to the right OU

[oscarmok]

I am newbie to AD and hoping someone can help us.

When we join the XP to the domain (Right Click My Computer |
Properties | Computer Names | Change) and change the member from
Workgroup to MYDOMAIN. We then add Domain User group to local
Administrator group (Right click My Computer | Manage | Local Users
and Groups | Groups | Double Click Administrator Group | Add | Domain
Users)

Is this the right approach?

Also, I noticed once the PC is join to AD, the hostname of the PC will
sit in \Computers container. I have setup my Ad as follows:

..Vancouver
..Sales.Vancouver
..Accounting.Vancouver

..Calgary
..Sales.Calgary
..Accounting.Calgary

Users created under those OU (e.g.: .oscarmok.sales.vancouver,
..johnsmith.accounting.calgary)

I was told that the computer (hostname of the PC) should sit under the
OU not in \Computer container. i.e. oscarmok-pc should be under
..sales.vancouver

Is it true? If so, how can I do so?

 

[Matjaz Ladava [MVP]]

By default your computer account will be created in Computers container. You
can move it to another Organizational Unit. It is advisable to organize your
network resources in AD into several OU's for management purpose (delegating
permissions) and for group policies, which are applied at resources residing
in OU's. You can not change default computer object creation in Windows 2000
domain, but you can do this in Windows Server 2003 domain.
By adding Domain Users into local Admins group, you are making every domain
use also a local Admin of every workstation. If this is what you want' then
you are doing right thing, but I would suggest you to learn people to run
with minimum permissions which local Admin isn't.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[oscarmok]

Matjaz

Thank you for youre response. We are still learning AD. User are
used to login as 'administrator' with no password (even worst). At
least, we make them log to AD but still have local Admin rights.

From your suggestion, we should move those PC to appropiate OU. Do I
create a sub-OU of Job function (e.g. Computers.Sales.Vancouver or
sub-OU of the geo-location (e.g. Computers.Vancouver)? And I move
those computer objects to there.

Once I have moved those computer objects, I shall begin GPO. Will
there be any issue if I apply GPO with the current settings to all the
users? (from my last email) GPO will start from simple one like -
Disable Change resolution graphics or Disable Add/Remove program.

Thanks

 

[Matjaz Ladava [MVP]]

Well, then you re making progress . Just keep improving your security
with time. Never stop and be satisfied with your setup. There is always room
for improvements.

There are several possibilities on how to organize your OU structure, and
they are covered by various books, so I can't write it all here, but you can
organize your AD structure by

Geographical locations and below your local offices/departments

or simpler

Organization and below Computers and users OU.

It all depends on how you want to control your environment. On the top OU
create company wide policy which applies to all and then below create OU
specific GPO. Remember just one thing. Never, never modify Domain GPO for
controlling your clients. The only time you need to change or create a GPO
on domain level is when you want to control your password policies. I have
seen too many admins locking themselves out of AD because they changed
domain wide policies.


--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[oscarmok]

Matjaz

Thanks for the heads up.

Base on my current setting (domain user with full rights in local
admin group). If I start adding GPO (like no run, no control panel)
under OU (Sales.Vancouver), will it disable any users part of OU
(sales.vancouver) even it has local admin group rights?

Thanks