Is it wrong to create security groups on mydomain/Computers container?

  • Thread starter Thread starter SammyBar
  • Start date Start date
S

SammyBar

Guest
Hi all,

I'm creating security groups of computers to assign different domain level
GPOs to each of them. In the past I created such groups in Active Directory
Users and Computers in mydomain/Computers instead of mydomain/Users. In the
past it looked to me more natural. But I always wondered why Microsoft
creates groups of computers in mydomain/Users? For example in my W2K3 domain
controller "RAS and IAS Servers" , "Domain Computers", "Domain Controllers"
groups are created in mydomain/Users.
Is it any problems with creating security groups in mydomain/Computers? Does
not it works the same if they were created in mydomain/Users?

Thanks in advance
Sammy
 
Re: Is it wrong to create security groups on mydomain/Computers container?

Sammy wrote:

> I'm creating security groups of computers to assign different domain level
> GPOs to each of them. In the past I created such groups in Active
> Directory Users and Computers in mydomain/Computers instead of
> mydomain/Users. In the past it looked to me more natural. But I always
> wondered why Microsoft creates groups of computers in mydomain/Users? For
> example in my W2K3 domain controller "RAS and IAS Servers" , "Domain
> Computers", "Domain Controllers" groups are created in mydomain/Users.
> Is it any problems with creating security groups in mydomain/Computers?
> Does not it works the same if they were created in mydomain/Users?

I avoid creating objects in the Users container for two reasons. It has
standard items and I'd rather not mix in my own objects, plus group policies
are applied to OU's.

I would use the same reasoning for the Computers container. I would place
computers in an OU so group policy can be applied. But it is your choice. In
this case, your groups will not be mixed with other standard groups. It
doesn't matter where the groups are, as long as you can find them easily.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
 
Re: Is it wrong to create security groups on mydomain/Computers container?

Thanks Richard for your answer,
I'm really a 110% programmer in charge of administering the AD of my
organisation in the -10% remaider time. Our organisation is not too big so I
stick to one rule: depart the minimum from the standard AD setup, 'cause I
have no time to train in administrative issues. So I have not introduced any
Organisational Unit on my AD tree. Even when I hadt to introduce GPO (for
WSUS) I dig the web until I found te security filtering for domain based
GPOs. Shortly: I terribly afraid to break something. So just give me the tip
without sending me to read bunch of documentation: Can I create OU and
relocate computers and users and groups freely...? I'm asking that 'cause
for long time I'd liked to organize the long list of users and computers in
a better way for me to administer but I don't want it to impact the way all
is working now.

Thanks for your time
Sammy

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> escribió en
el mensaje news:%23fJU7MhqIHA.4876@TK2MSFTNGP02.phx.gbl...
> Sammy wrote:
>
>> I'm creating security groups of computers to assign different domain
>> level GPOs to each of them. In the past I created such groups in Active
>> Directory Users and Computers in mydomain/Computers instead of
>> mydomain/Users. In the past it looked to me more natural. But I always
>> wondered why Microsoft creates groups of computers in mydomain/Users? For
>> example in my W2K3 domain controller "RAS and IAS Servers" , "Domain
>> Computers", "Domain Controllers" groups are created in mydomain/Users.
>> Is it any problems with creating security groups in mydomain/Computers?
>> Does not it works the same if they were created in mydomain/Users?
>
> I avoid creating objects in the Users container for two reasons. It has
> standard items and I'd rather not mix in my own objects, plus group
> policies are applied to OU's.
>
> I would use the same reasoning for the Computers container. I would place
> computers in an OU so group policy can be applied. But it is your choice.
> In this case, your groups will not be mixed with other standard groups. It
> doesn't matter where the groups are, as long as you can find them easily.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
 
Re: Is it wrong to create security groups on mydomain/Computers container?

Creating OU's and moving users, computers, and/or groups into them will have
no impact at all (since your only Group Policy is at the domain level). You
can create OU's any way you wish that makes sense to you (so you can find
objects). The users, computers, and groups will never know the difference if
they are moved (as long as their names are not changed).

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"SammyBar" <sammybar@gmail.com> wrote in message
news:uugo6chqIHA.2520@TK2MSFTNGP02.phx.gbl...
> Thanks Richard for your answer,
> I'm really a 110% programmer in charge of administering the AD of my
> organisation in the -10% remaider time. Our organisation is not too big so
> I stick to one rule: depart the minimum from the standard AD setup, 'cause
> I have no time to train in administrative issues. So I have not introduced
> any Organisational Unit on my AD tree. Even when I hadt to introduce GPO
> (for WSUS) I dig the web until I found te security filtering for domain
> based GPOs. Shortly: I terribly afraid to break something. So just give me
> the tip without sending me to read bunch of documentation: Can I create OU
> and relocate computers and users and groups freely...? I'm asking that
> 'cause for long time I'd liked to organize the long list of users and
> computers in a better way for me to administer but I don't want it to
> impact the way all is working now.
>
> Thanks for your time
> Sammy
>
> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> escribió
> en el mensaje news:%23fJU7MhqIHA.4876@TK2MSFTNGP02.phx.gbl...
>> Sammy wrote:
>>
>>> I'm creating security groups of computers to assign different domain
>>> level GPOs to each of them. In the past I created such groups in Active
>>> Directory Users and Computers in mydomain/Computers instead of
>>> mydomain/Users. In the past it looked to me more natural. But I always
>>> wondered why Microsoft creates groups of computers in mydomain/Users?
>>> For example in my W2K3 domain controller "RAS and IAS Servers" , "Domain
>>> Computers", "Domain Controllers" groups are created in mydomain/Users.
>>> Is it any problems with creating security groups in mydomain/Computers?
>>> Does not it works the same if they were created in mydomain/Users?
>>
>> I avoid creating objects in the Users container for two reasons. It has
>> standard items and I'd rather not mix in my own objects, plus group
>> policies are applied to OU's.
>>
>> I would use the same reasoning for the Computers container. I would place
>> computers in an OU so group policy can be applied. But it is your choice.
>> In this case, your groups will not be mixed with other standard groups.
>> It doesn't matter where the groups are, as long as you can find them
>> easily.
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>>
>
>
 
Back
Top