This is more of a "what are others doing" as apposed to a question. We operate in a fairly large enterprise environment spread over geographical areas. Each office has different needs thus different security groups/OU/GPO's and what have you. As we all know when a user or computer account is created they by default will land in the users/computers containers. Well, again as we all know, you are unable to link GPO's to containers. I know you can "redirect" the default locations with the following Microsoft KB: http://support.microsoft.com/kb/324949
. If we were to do this, then all user and computer accounts would go to the new OU's respectivly. So lets say we just did the redirect and linked GPO's to those new locations. A member on the server team joins a computer to the domain, it woud automatically go to that new "Default' OU we created for computer and would inherit the GPO's linked to the OU. Well, the problem is we linked "Workstation" GPO's to that new OU, and now our servers get the Workstations GPO's. Now, we could link all GPO's to the new "Default" OU and do WMI filtering to seperate the Workstations from the Servers, but this is now getting pretty complicated and i want to keep it KISS. I guess idealy, is there a way for AD to understand the following: If you're a member of Group X, when you join a computer to the domain it goes to OU A, if your a member of Group Y, then when that person joins the computer to a domain it goes to OU B. I hope i'm explaining this clearly as it's pretty complicated. I know we can prestage these accounts but i'm trying to make it as simply as possible and as automated as possible. Any ideas and recommendations of what others are doing would be much appreciated.