Placement of computer objects in AD

G

Guest

I have been advised that I shouldn't put computer objects in the same OUs as
the people who will be using those computers. (I found the other day that
some Group Policy settings weren't being applied to computers in our domain
coz those computer objects were in the default 'Computers' OU in our
AD.....seemed logical to put those computers in the same OUs as their users)

Can anybody tell me why computers shouldn't be in the same OUs as their
users, and does anybody know of any good articles on this subject?
 
R

Ryan Hanisco

There isn't a real reason why you shouldn't put them there, but rather good
reasons to separate them. Doing things this way allows you a greater
granularity in your management of the objects.

Generally you will create an OU based on Site or Business Unit, then an OU
for each users and computers in that business unit. Create a group inside
the OUs to contain all constituent objects so you'll have the option for GPO
filtering as well.

There are a lot of ways to look at this and it will be dictated as your
needs are defined. Look to this and go from there.
--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Ageing Brilliantine Stick Insect"
 
G

Guest

Segregation of computer and user objects into different OUs allows better
definition and application of Group Policy Objects (GPOs) to the intended
target. This can even be further broken down for granular control.

e.g.
domain.com
--- Servers OU
--------- File OU
--------- Terminal Server / Citrix OU
--------- Database Server OU
etc.

The GPO loopback feature is an option for consideration as well.

Do let us know if this helps. Thanks.
 
J

Jimmy Andersson [MVP]

The AD design should reflect how you want to administrate your environment.
Personally, I find it easier in many cases to separate computer objects from
user and contact objects, mostly because of granularity and flexibility.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"Ageing Brilliantine Stick Insect"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO Computer Setting - Ccan they be applied to Users ? 6
OU Design with single domain AD structure 3
AD OU and Security Group Structure 1
Win2k3 AD OU/GPO Design Discussion 1
AD permission for admins 3
Documenting Active Directory Environment. 2
What objects in an OU inherit Group Policies? 2
permission for moving objects in AD 3

Top