GPO best practices : Security-Group Filtering Versus OU

Posted by Olivier Rochaix on Server Fault See other posts from Server Fault or by Olivier Rochaix
Published on 2012-11-29T16:32:35Z Indexed on 2012/11/29 17:06 UTC
Read the original article Hit count: 526

Good afternoon everyone,

I'm quite new to Active Directory stuff. After upgraded Functional level of our AD from 2003 to 2008 R2 (I need it to put fine-grained password policy), I then start to reorganized my OUs. I keep in mind that a good OU organization facilitate application of GPO (and maybe GPP).But in the end, it feels more natural for me to use Security-group filtering (from Scope tab) to apply my policies, instead of direct OU.

Do you think it is a good practice or should I stick to OU ?

We are a small organisation with 20 users and 30-35 computers. So, we got a simple OU tree, but more subtle split with security-groups.

The OU tree doesn't contain any objects except at the bottom level. Each bottom level OU contains Computers,Users, and of course security groups. These security groups contains Users & Computers of the same OU.

Thanks for your advices, Olivier

© Server Fault or respective owner

Related posts about active-directory

Related posts about group-policy