Fairly new to the product.  To limit the view/action of computer accounts I can do so with a static group of those computer accounts.  For my case today, the helpdesk can only see/view/etc workstations.  Fine and dandy to get every computer account in that group.  But when they make new ones, then they'd have to ask an administrator to add which is not a good use of time in multiple ways.  

I am looking at building a SQL script and schedule it that says, if Computer exists in OU and not exist in StaticGroup then add it.  But there may be a more dynamic/better way to do this but I've found myself limited to having only static groups for a user to limit to just their role/responsibilities for computers to do patching and deployments.  

Wanted to send out to the community for thoughts, suggestions or ways this is being accomplished.  

Thank you in advance.