Yes it would, but then you have to mess with blocking and filtering in some cases. Auto moving them to their own OU works best for us. ________________________________________ From: David Lum [EMAIL PROTECTED] Sent: Thursday, September 18, 2008 6:16 PM To: NT System Admin Issues Subject: RE: new computers
Wouldn't applying said GPO's at the domain root accomplish the same thing? Having said that I like your idea much better.. Dave -----Original Message----- From: Tim Vander Kooi [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 1:37 PM To: NT System Admin Issues Subject: RE: new computers I do something similar, but I simply changed where new computers are put by default. My computers now go to an OU with GPOs applied by default instead of going to "Computers", after that they can be further moved if necessary to receive additional GPOs and/or software which I install via SCE. The really nice part about this is that we use ForeFront for Anti-Malware which you can apply to any OU or Group, so now every machine that joins our domain gets AM software installed as a part of joining the domain. No manual intervention required to protect all computers in the domain by default. Tim -----Original Message----- From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 2:02 PM To: NT System Admin Issues Subject: RE: new computers Hmm, interesting reasons Phil. I can see the idea, create the object, put it in the right OU, the right group for GPO, etc. Thanks for that... Joe Heaton -----Original Message----- From: Phil Brutsche [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:45 AM To: NT System Admin Issues Subject: Re: new computers I've done it both ways. I usually try to have the AD objects created first. If you create the AD object first the machine will get the right GPOs right off the bat. It's less work that way, especially if you use software installation GPOs. The machine is 100% ready to go sooner. Joe Heaton wrote: > When you guys build new PCs, do you create the AD object first, or > simply join the domain from the PC afterwards? I've always created the > PC, then joined the domain, but our desktop guy just mentioned that our > manager wanted him to create the AD object first. My first instinct is > to say no, because then you're creating an AD object for something that > doesn't exist yet, but other than that, I didn't have a real reason. > Anyone have a better reason? -- Phil Brutsche [EMAIL PROTECTED] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.21/1678 - Release Date: 9/18/2008 9:01 AM ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
