GPO best practices : Security-Group Filtering Versus OU

Good afternoon everyone,

I'm quite new to Active Directory stuff. After upgraded Functional level of our AD from 2003 to 2008 R2 (I need it to put fine-grained password policy), I then start to reorganized my OUs. I keep in mind that a good OU organization facilitate application of GPO (and maybe GPP).But in the end, it feels more natural for me to use Security-group filtering (from Scope tab) to apply my policies, instead of direct OU.

Do you think it is a good practice or should I stick to OU ?

We are a small organisation with 20 users and 30-35 computers. So, we got a simple OU tree, but more subtle split with security-groups.

The OU tree doesn't contain any objects except at the bottom level. Each bottom level OU contains Computers,Users, and of course security groups. These security groups contains Users & Computers of the same OU.

Thanks for your advices, Olivier


Benefits to using an OU-based GPO layout

  • Easier to immediately see the effected set of objects

  • Less overhead involved than managing additional security groups

  • Less replication to other DCs and smaller user tokens, since you don't need a bunch of extra security groups (this probably doesn't matter much to a smaller infrastructure like you describe)

  • In most organizations, almost all policies can apply at an OU level in a well designed AD

  • Easier delegation

Benefits to using a scope-based GPO layout

  • More flexible

  • Solves the where should I put this object? problem that comes up for employees that might "straddle" departments

  • You can delegate the ability to add members to groups, which will allow helpdesk staffers to manage what policies apply where without giving access to changing GPOs


In reality, most organizations that I've dealt with take a hybrid approach. A GPO that can be applied based on OU typically is assigned to an OU and anything that "crosses" OUs or needs to be filtered to a subset of an OU uses security filtering or item-level targeting.

In fact, I actually just deployed a single GPO to map 50 printers to various departments and it was linked at the domain level and uses item-level targeting - yet almost all of the other GPOs that we have are linked to an OU with the default security filters.

TL;DR - do what makes sense for your organization.