A computer object is a security principal. This means that just as with a user, you can give permissions for resources and assign security group memberships to the computer. Applying permissions to security groups instead of OUs is a generally accepted best practice. For user objects, you can delegate part of this and automate most of the rest, leaving a small amount of manual work for system admins to perform.
Of course, with AD computer objects, it is a bit more difficult to offer AD self-service at least until HAL 9000 takes over. So that leaves dynamic security group membership for your computer objects as your sole recourse to the dreaded manual process.
There are a number of computer object attributes that you can query to make dynamic groups whether it be department, company, OS, last login, etc. Some of the filters are do-able at the GPO level but some make more sense just to have the group membership be accurate.
Once you have the group membership accurate, it’s easy to start offering different IE settings based on department (less restrictions on one department vs another), or software install based on department (powerpoint for sales, VSTS for engineering), or even based on location (no proxy setting for home offices).
This is all pretty simple if you have a purpose-built dynamic AD group management solution but it can also be accomplished with some clever scripting. Let us know if you want to see a demonstration of how to accomplish putting computer objects in dynamic AD security groups.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.