7

Good afternoon everyone,

I'm quite new to Active Directory stuff. After upgraded Functional level of our AD from 2003 to 2008 R2 (I need it to put fine-grained password policy), I then start to reorganized my OUs. I keep in mind that a good OU organization facilitate application of GPO (and maybe GPP).But in the end, it feels more natural for me to use Security-group filtering (from Scope tab) to apply my policies, instead of direct OU.

Do you think it is a good practice or should I stick to OU ?

We are a small organisation with 20 users and 30-35 computers. So, we got a simple OU tree, but more subtle split with security-groups.

The OU tree doesn't contain any objects except at the bottom level. Each bottom level OU contains Computers,Users, and of course security groups. These security groups contains Users & Computers of the same OU.

Thanks for your advices, Olivier

Olivier Rochaix
  • 73
  • 1
  • 4
  • The principles of KISS could never apply more then this situation. I try to use ou based gpo's 1st and if somebody puts a gun to my head I'll using filtering. – tony roth Nov 29 '12 at 16:56

2 Answers2

7

Benefits to using an OU-based GPO layout

  • Easier to immediately see the effected set of objects

  • Less overhead involved than managing additional security groups

  • Less replication to other DCs and smaller user tokens, since you don't need a bunch of extra security groups (this probably doesn't matter much to a smaller infrastructure like you describe)

  • In most organizations, almost all policies can apply at an OU level in a well designed AD

  • Easier delegation

Benefits to using a scope-based GPO layout

  • More flexible

  • Solves the where should I put this object? problem that comes up for employees that might "straddle" departments

  • You can delegate the ability to add members to groups, which will allow helpdesk staffers to manage what policies apply where without giving access to changing GPOs

In reality, most organizations that I've dealt with take a hybrid approach. A GPO that can be applied based on OU typically is assigned to an OU and anything that "crosses" OUs or needs to be filtered to a subset of an OU uses security filtering or item-level targeting.

In fact, I actually just deployed a single GPO to map 50 printers to various departments and it was linked at the domain level and uses item-level targeting - yet almost all of the other GPOs that we have are linked to an OU with the default security filters.

TL;DR - do what makes sense for your organization.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • This, basically. There's no overall right or wrong - just which one is easier to manage for each individual GPO. – Dan Nov 29 '12 at 16:48
  • Thanks for this clear comparison. As you suggest in the end, I will probably manage to apply GPO per OU, and for some of them, apply security filtering through scope. In addition, I used a GPO made of several GPP for mounting drive. Each gpp is item-level targeting based on security-groups. The GPO is applied at the top OU (called "Office"). This way, I just got one policy to maintan for the whole mounted drives :) – Olivier Rochaix Nov 29 '12 at 16:55
  • I'm saying that you should evaluate each GPO based on where/how it needs to apply and make a decision that works for you. What *most* organizations do is default to an OU-based application and dip into filtering if that doesn't meet their needs - but again, it relies on a lot of variables. – MDMarra Nov 29 '12 at 16:57
0

I think it all depends on complexity of the environment you are trying to configure with Group Policy. Keeping in mind that an object can be in only a single OU where as an object could be in more that one security group. In simple environments (like your seems to be) I would suggest keeping your policies and the application of those policies simple as well.

Brian W
  • 21
  • 4