organising laptops and desktops in AD - best practice

Question

From a systems administrators perspective, are there any risks in storing both laptop and desktop computers in the same OU, or is it common best practice to store them in their own dedicated OU in your AD domain?
I was trying to understand any logic why AD admins may put each in their own OU, or if its common to group them altogether?

Likewise do you use any specific naming conventions for computers added to AD, to differentiate between desktops and laptops, and if so what benefits does this provide, or if such naming convention wasn't in place, what issues/challenges could this cause?

Answer 1

Hello Crib bar,

The main reasons to segregate different hardware, such as Desktops and Laptops, is usually the same as to separate Servers and Workstations. For one side, there is the hardware perspective, as you may want to enable some Registry configurations specific for some models. On the other hand, there may be specific GPO that apply to Laptop computers (such as encryption and other policies) that are not required in Desktops. Additionally, there may be additional security policies or application permissions for Laptop users due to mobility (first that comes in mind is to avoid connecting to unencrypted networks, for example)

Beside that, many sysadmins that are more specific, would create OU per department, and then sub-OU per users or computers, then another OU level for Desktops and Laptops. Depending on the extension and complexity of the organization structure this can be quite an advantage.

--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Hi @crib bar

There are no risk because desktop and laptops are tagged as T2 in tierring administration modele :

I was trying to understand any logic why AD admins may put each in their own OU, or if its common to group them altogether?

In an Organozation Unit we can configure :

• Permission to administrator or group of administrator to manage all objets under this OU
• Link GPOs

AD administrators may choose to split OU if the teams who should manage desktop and laptop are not the same.

The same for GPO. (Regarding the GPO there are many solutions to avoid the slit like security group filtering and wmi filtering)

Please don't forget to mark helpful asnwer as accepted

Answer 3

I would say, that before the need for divide Desktops and Laptops was bigger, rather than today. You might want to have different Bitlocker and Power options for desktops and laptops.

In AD for GPO, you could also use wmi filters to outscope desktops from Bitlocker settings, this way you still can use same OU.

In Intune, you could specify model filters to have different groups for Laptops and Desktops

Unless desktops play very special role in your organization, (product/factory computers with critical role), I would not bother to divide them at all.