In my post that covers my standard directory structure, I recommend using a third-level OU as the effective root of all non-domain controller members. "But," I can hear you saying, "what about all the computer objects that get created in the default Computers container?" To that, I say: block 'em. Do you have build procedures for new servers and workstations? Do you have agents or other utilities that need to be installed on all members? Do you have custom security or group policy settings that need to apply to certain computers? Do all devices need to undergo a security review before being joined to the domain? If so, this is the best first step to ensure all new computers are compliant before being put into production. Once you've established that there will be no creation in the default container, that logically means a few things: New objects must be intentionally created by either support personnel or approved automated systems. Elevated dir