GPO best practices : Security-Group Filtering Versus OU
- by Olivier Rochaix
Good afternoon everyone,
I'm quite new to Active Directory stuff. After upgraded Functional level of our AD from 2003 to 2008 R2 (I need it to put fine-grained password policy), I then start to reorganized my OUs.
I keep in mind that a good OU organization facilitate application of GPO (and maybe GPP).But in the end, it feels more natural for me to use Security-group filtering (from Scope tab) to apply my policies, instead of direct OU.
Do you think it is a good practice or should I stick to OU ?
We are a small organisation with 20 users and 30-35 computers. So, we got a simple OU tree, but more subtle split with security-groups.
The OU tree doesn't contain any objects except at the bottom level. Each bottom level OU contains Computers,Users, and of course security groups. These security groups contains Users & Computers of the same OU.
Thanks for your advices,
Olivier