Is it wrong to create security groups on mydomain/Computers container?

[Guest SammyBar]

Hi all,

 

I'm creating security groups of computers to assign different domain level

GPOs to each of them. In the past I created such groups in Active Directory

Users and Computers in mydomain/Computers instead of mydomain/Users. In the

past it looked to me more natural. But I always wondered why Microsoft

creates groups of computers in mydomain/Users? For example in my W2K3 domain

controller "RAS and IAS Servers" , "Domain Computers", "Domain Controllers"

groups are created in mydomain/Users.

Is it any problems with creating security groups in mydomain/Computers? Does

not it works the same if they were created in mydomain/Users?

 

Thanks in advance

Sammy

[Guest Richard Mueller [MVP]]

Re: Is it wrong to create security groups on mydomain/Computers container?

 

Sammy wrote:

> I'm creating security groups of computers to assign different domain level

> GPOs to each of them. In the past I created such groups in Active

> Directory Users and Computers in mydomain/Computers instead of

> mydomain/Users. In the past it looked to me more natural. But I always

> wondered why Microsoft creates groups of computers in mydomain/Users? For

> example in my W2K3 domain controller "RAS and IAS Servers" , "Domain

> Computers", "Domain Controllers" groups are created in mydomain/Users.

> Is it any problems with creating security groups in mydomain/Computers?

> Does not it works the same if they were created in mydomain/Users?

 

I avoid creating objects in the Users container for two reasons. It has

standard items and I'd rather not mix in my own objects, plus group policies

are applied to OU's.

 

I would use the same reasoning for the Computers container. I would place

computers in an OU so group policy can be applied. But it is your choice. In

this case, your groups will not be mixed with other standard groups. It

doesn't matter where the groups are, as long as you can find them easily.

 

--

Richard Mueller

MVP Directory Services

Hilltop Lab - http://www.rlmueller.net

--

[Guest SammyBar]

Re: Is it wrong to create security groups on mydomain/Computers container?

 

Thanks Richard for your answer,

I'm really a 110% programmer in charge of administering the AD of my

organisation in the -10% remaider time. Our organisation is not too big so I

stick to one rule: depart the minimum from the standard AD setup, 'cause I

have no time to train in administrative issues. So I have not introduced any

Organisational Unit on my AD tree. Even when I hadt to introduce GPO (for

WSUS) I dig the web until I found te security filtering for domain based

GPOs. Shortly: I terribly afraid to break something. So just give me the tip

without sending me to read bunch of documentation: Can I create OU and

relocate computers and users and groups freely...? I'm asking that 'cause

for long time I'd liked to organize the long list of users and computers in

a better way for me to administer but I don't want it to impact the way all

is working now.

 

Thanks for your time

Sammy

 

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> escribió en

el mensaje news:%23fJU7MhqIHA.4876@TK2MSFTNGP02.phx.gbl...

> Sammy wrote:

>

>> I'm creating security groups of computers to assign different domain

>> level GPOs to each of them. In the past I created such groups in Active

>> Directory Users and Computers in mydomain/Computers instead of

>> mydomain/Users. In the past it looked to me more natural. But I always

>> wondered why Microsoft creates groups of computers in mydomain/Users? For

>> example in my W2K3 domain controller "RAS and IAS Servers" , "Domain

>> Computers", "Domain Controllers" groups are created in mydomain/Users.

>> Is it any problems with creating security groups in mydomain/Computers?

>> Does not it works the same if they were created in mydomain/Users?

>

> I avoid creating objects in the Users container for two reasons. It has

> standard items and I'd rather not mix in my own objects, plus group

> policies are applied to OU's.

>

> I would use the same reasoning for the Computers container. I would place

> computers in an OU so group policy can be applied. But it is your choice.

> In this case, your groups will not be mixed with other standard groups. It

> doesn't matter where the groups are, as long as you can find them easily.

>

> --

> Richard Mueller

> MVP Directory Services

> Hilltop Lab - http://www.rlmueller.net

> --

>

>

[Guest Richard Mueller [MVP]]

Re: Is it wrong to create security groups on mydomain/Computers container?

 

Creating OU's and moving users, computers, and/or groups into them will have

no impact at all (since your only Group Policy is at the domain level). You

can create OU's any way you wish that makes sense to you (so you can find

objects). The users, computers, and groups will never know the difference if

they are moved (as long as their names are not changed).

 

--

Richard Mueller

MVP Directory Services

Hilltop Lab - http://www.rlmueller.net

--

 

"SammyBar" <sammybar@gmail.com> wrote in message

news:uugo6chqIHA.2520@TK2MSFTNGP02.phx.gbl...

> Thanks Richard for your answer,

> I'm really a 110% programmer in charge of administering the AD of my

> organisation in the -10% remaider time. Our organisation is not too big so

> I stick to one rule: depart the minimum from the standard AD setup, 'cause

> I have no time to train in administrative issues. So I have not introduced

> any Organisational Unit on my AD tree. Even when I hadt to introduce GPO

> (for WSUS) I dig the web until I found te security filtering for domain

> based GPOs. Shortly: I terribly afraid to break something. So just give me

> the tip without sending me to read bunch of documentation: Can I create OU

> and relocate computers and users and groups freely...? I'm asking that

> 'cause for long time I'd liked to organize the long list of users and

> computers in a better way for me to administer but I don't want it to

> impact the way all is working now.

>

> Thanks for your time

> Sammy

>

> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> escribió

> en el mensaje news:%23fJU7MhqIHA.4876@TK2MSFTNGP02.phx.gbl...

>> Sammy wrote:

>>

>>> I'm creating security groups of computers to assign different domain

>>> level GPOs to each of them. In the past I created such groups in Active

>>> Directory Users and Computers in mydomain/Computers instead of

>>> mydomain/Users. In the past it looked to me more natural. But I always

>>> wondered why Microsoft creates groups of computers in mydomain/Users?

>>> For example in my W2K3 domain controller "RAS and IAS Servers" , "Domain

>>> Computers", "Domain Controllers" groups are created in mydomain/Users.

>>> Is it any problems with creating security groups in mydomain/Computers?

>>> Does not it works the same if they were created in mydomain/Users?

>>

>> I avoid creating objects in the Users container for two reasons. It has

>> standard items and I'd rather not mix in my own objects, plus group

>> policies are applied to OU's.

>>

>> I would use the same reasoning for the Computers container. I would place

>> computers in an OU so group policy can be applied. But it is your choice.

>> In this case, your groups will not be mixed with other standard groups.

>> It doesn't matter where the groups are, as long as you can find them

>> easily.

>>

>> --

>> Richard Mueller

>> MVP Directory Services

>> Hilltop Lab - http://www.rlmueller.net

>> --

>>

>>

>

>