Neil- First off, the Computers container is not an OU, so you can't link a GPO to it. You can only link it to the domain to effect those machines and then that GPO would apply to all computers unless you managed the security permissions around it. I think your better bet is to make sure that all new computer accounts added to the domain are sent to a particular OU. Server 2003 includes redircomp.exe that lets you change the default location that new computer accounts are sent to. You could then use a GPO linked to that "holding" OU to lock down those systems. Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of neil@xxxxxxxxxxxxxxxx Sent: Thursday, January 25, 2007 8:04 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Disabling Computer Accounts Hi all, Does anyone have any ideas on how best to achieve the following. I need to make a computer that is intially built into the domain - virtually unusable until it is placed in the correct OU. I had thought of applying a very restrictive GPO to the default computers OU which made it unusable but not quite sure which settings to apply and if there are any issues with doing this. It is bascially to stop people bypassing build procedures and policies and not putting the computer into the correct OU. Thanks for any thoughts :) Neil *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************