Default Computers Container (Best Practice)

We are currently in the process of redesigning a new Active Directory system due to company expansion and the old AD got messy due to no organizational rules set in place at the time.

Our Techs must move a new computer account under the Computers Container to a "New Computers" OU that has proper polices attached to it.  They tend to forget this quite a bit.  The polices on this OU are semi critical as it forces all updates, security settings, AV software to be installed at first boot, where any other OU we store computers have the same settings (and more) but installs/updates take place during off hours.

I would like to deny the techs from AD and have the systems automatically get these critical settings now rather than wait upto 48 hours.

How can this be done?

Can we apply policies to the Computer container? or Can we redirect all new systems to the "New Computer" OU when it's joined to the domain (create a new default location for new computer accounts)?

What would you recommend to do and recommend for resources to complete the procedure I should do?

We will be utilzing all Server 2008 and AD will be elevated to the newest technology available.
m698322hAsked:
Who is Participating?
 
Mike KlineConnect With a Mentor Commented:
No you can't apply/link policies to the computer container (can't link policies to any container). You can use redircmp to change the default location for all new computers, that procedure is covered here

http://support.microsoft.com/kb/324949

You could also link the GPO at the domain level (but that would affect every computer object including servers which I don't think you want)

Thanks

Mike
0
 
Aj8787Commented:
Well i am not sure i completely got your doubt but,

You want to install updates as soon as computer gets first boot, you can go for software deployment in OU policy and ryn "gpupdate" and as soon as client machine gets rebooted these patches will be applied to their system irrespective of ON/OFF hours.

I still dont get the need of diffrent container for new systems all systems should be in same container so if in future you have any update all systems will get it in once rather than applying the update in two diffrent places.
0
 
m698322hAuthor Commented:
At this time a tech adds a computer to the domain and has to move the account to the "New Computers" OU before the system reboots.  Once the system reboots, our AV is installed, all client and user certificates are initialized, windows updates takes place from our updating system, etc.  

Once the computer is finished getting all it needs, the computer is moved to a container based on location the system will be located (these have some differences in polices).

The main reasons we have a different OU for all new systems is getting all proper windows updates now (they have deadlines set on them) and All techs are denied from touching the computer account once it gets moved to it's proper location by the admin of that location.  It's all security based.
0
 
Aj8787Commented:
After moving PCs to locations domain,

You can apply patches in default domain policy if you want updates to be installed on servers also whenever they will rebbot.

Or you can create diffrent OU for computers in respective domain and apply a separate GPO to that OU to apply patches, so no need to move them back to New computers OU once you have moved them to location domain.

I guess am hitting right point.
0
 
m698322hAuthor Commented:
You reinforced what I had thought.  Thanks for your input.
0
All Courses

From novice to tech pro — start learning today.