Question : Adding more OUs to the "Computers" OU

Hi all,

I posted a question yesterday stating that I wish to harden my XP clients by disabling services via a GPO. Now the problem is; under the "Computers" OU I have all my servers and clients listed... so I cant attach 1 GPO to this OU and disable things that clients do not need but the servers do.

So my idea is the create some more OUs under the "Computers" OU... so I should have:

Domain
    |___ Base  << For the generic GPO that applies to everyone and everything.
              |
              |____ Computers  << Attach services disabling GPO here (services that can be applied to all machines)
              |              |
              |              |___ Servers
              |              |          |
              |              |          |____ WebServers  << Attach services disabling GPO here (allowing web services)
              |              |          |
              |              |          |____ FileServers  << Attach services disabling GPO here  (disallowing web services)
              |              |
              |              |___ Clients  << Attach services disabling GPO here (disallowing just about everything)
              |
              |____ Domain Controllers  << Attach services disabling GPO here (allowing DNS services)
              |
              |____ User OUs

So, I would say move all the web servers to DOMAIN\Base\Computers\Servers\WebServers so that I can enable services that the webservers need...

Now my question is this:
Does anyone see a problem with this?
I havent had any training in using Active Directory, so im still learning... and everytime I move a computer to one of those OUs the console asks "do you really want to so this, it may bugger everything up".... which worries me :/

Thanks for your input.

~Binks

Answer : Adding more OUs to the "Computers" OU

Hi,

Please note that you may want to consider the impact of the inheritance and also the way you will be enabling and disabling services.  Remember that you perform the tasks at the Computer Configuration level and that domain users will have no control over the settings you make.  Moving a test computer into the OU may be the first step in your process so that you can determine if the settings you have applied work as you expected them to.  If all is well, move all the other computers.  

If the settings do not work as you wanted, simply move the computer back to the OU you had it in before.  The bad settings will be removed or if you want to speed up the process, restart the computer.

Test, test, and retest.
M