Sherry,
While you cannot apply a GPO directly to the COMPUTERS default OU, remember, it is a nested OU, underneath the domain root. Placing a computer based policy at the domain root will trickle to PCs inside COMPUTERS as well. I'm sure you're thinking it, you must be careful to properly secure the GPO placed at the root of the AD domain, as to not lock down the entire AD. Do remember though, from a fresh build or image deployed box , a PC will likely need a reboot or three before it absorbs and applies the policy, nothing is instant about GPOs and XP boxes-which is usually pleanty of time to either use a batch process that moves the computer object, or redirect to another OU as suggested by Ed. The problem that I don't like about changing the default ou---some software, somewhere, someday is going to expect COMPUTERS like it is now, plus, when you build your next server, guess where it'll go too? Overall, while not the most elegant of solutions, it's one that I fall back to everytime---running a script/batch as suggested by Kurt. Bob From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] Sent: Friday, May 02, 2008 1:10 PM To: Active Directory Admin Issues Subject: Adding New Computer to Domain Is there a way to change the default OU that new computers are automatically added to when joined to an active directory domain? We are looking to add a group policy that basically locks down a computer as soon as it's added to the domain, and then move the computer to an OU that has the policy that it should receive based on who/what/where. You cannot add a group policy to the default Computers OU. So far Googlefu hasn't yielded anything. TIA, -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
