Create Groups...only Computer Accounts

[JJ]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

My perception is that you only create groups for User Accounts, but
recently, I am reviewing GPO and the likes and have read that you can also
create / delegate / deny based on Computer Accounts. If this is the case,
can I go ahead and group Computer Accounts - their own groups (not just by
OU), just like User Accounts?

Thanks.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

"JJ" <jj@stokes.net> wrote in message
news:ewSc4Oy0EHA.2608@TK2MSFTNGP10.phx.gbl...
> My perception is that you only create groups for User Accounts, but
> recently, I am reviewing GPO and the likes and have read that you can also
> create / delegate / deny based on Computer Accounts. If this is the case,
> can I go ahead and group Computer Accounts - their own groups (not just
by
> OU), just like User Accounts?


The simple answer is "yes", but you will do yourself
a disservice if you use this mindset for designing your
OU and GPOs.

You will be better served if you design the GPO structure
to support:

Delegating administration AND

Assigning GPOs

Then use the Groups and filtering as an EXCEPTION when
no clear method is otherwise available. Using permissions
on GPO certainly works but it is not nearly as easy to manage.

But, ultimately, it's your domain and you can do whatever
works for you.

--
Herb Martin


>
> Thanks.
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

Yes, we do this to install software selectively on computers. If the
computer is in the appropriate group, the software policy is applied and the
application is installed automatically.
Anthony


"JJ" <jj@stokes.net> wrote in message
news:ewSc4Oy0EHA.2608@TK2MSFTNGP10.phx.gbl...
> My perception is that you only create groups for User Accounts, but
> recently, I am reviewing GPO and the likes and have read that you can also
> create / delegate / deny based on Computer Accounts. If this is the case,
> can I go ahead and group Computer Accounts - their own groups (not just
by
> OU), just like User Accounts?
>
> Thanks.
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

Absolutely you can, otherwise you'll not be able to filter computer GPOs.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"JJ" <jj@stokes.net> wrote in message
news:ewSc4Oy0EHA.2608@TK2MSFTNGP10.phx.gbl...
> My perception is that you only create groups for User Accounts, but
> recently, I am reviewing GPO and the likes and have read that you can also
> create / delegate / deny based on Computer Accounts. If this is the case,
> can I go ahead and group Computer Accounts - their own groups (not just
> by OU), just like User Accounts?
>
> Thanks.
>