As Carson mentioned, use groups instead of OUs. I always use the Group attribute and not memberOf. ClearPass extracts the CN from the memberOf attribute and makes the names available in the Group attribute. Group can be checked with EQUAL and is therefore less vulnerable because group names are always unique. With CONTAIN, there is a risk of misinterpretation, as the OUs in the OU folder structure may have similar names, which can lead to false positives in a CONTAIN test.
You need to be careful with the primary group (such as domain-users or domain-computers). The primary group is not included in the MemberOf attribute, even though Windows displays it that way. Membership in the primary group is represented in Active Directory by the primaryGroupID attribute.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Jan 15, 2026 09:58 AM
From: Jscott1
Subject: Target Computer OUs rather than UserDN for ClearPass
We are looking to put certain Computer OUs in a different VLAN. Currently we have it set up to look at UserDN to force users to a role. Is there an easier way than adding attributes to the computers in ClearPass or putting them in a MemberOf group?
Here are pictures of examples.
-------------------------------------------