GPO and OU Design

GPO assignment is closely linked with your OU design since GPO’s are linked to OU’s. But sometimes your OU structure may have a poor match with your GPO assignment needs. It may be tempting to modify your OU structure a bit in order to better accommodate your GPO design. Don’t fall for this!

The OU structure should be designed based on your needs to delegate administrative access to Active Directory objects – NOT your GPO assignment needs!

Let’s say you have a geographically based OU design to allow country admins to have some autonomy when managing local users and computers. E.g. you have country OU’s with sub-OU’s named by departments.

But now you have a GPO with enterprise settings that you want to assign to all marketing users in the organization. This dilemma basically leaves you with three choices: The Good. The Bad. And the Ugly.

• The good: Use security filtering (as described in the previous section) to target all Marketing users and link it on top level
• The bad: Link the GPO with the marketing OU in all countries Marketing OU’s (that’s a lot of linking!)
• The ugly: Create a single OU with all marketing users

Obviously the last solution does not match the security needs for delegation of AD objects so it should not even be considered. The need for delegation of AD objects should be your prime concern when designing our OU structure.

Pro-tip! Use Dynamic Groups to easily organize users and computers based on OU placement and/or AD object attributes. Then perform security filtering on relevant GPO’s using the dynamic groups. This will allow you to manage your GPO’s simply by setting correct properties on your AD objects. Use our free tool (yes, completely free) to manage your AD like a true pro!