Example user OUs and GPO enforcement [closed]
- the owner of the org, who needs to have the keys to the kingdom, and primarily the one who will add user accounts going forward (after all is implemented and live)
If he only needs to add and manage users/groups on AD, use delegation to give his account this (and possibly other) rights. See Implementing Active Directory Delegation of Administration. If what he needs are indeed "the keys to the kingdom", no need to create a group, just add him to the Domain Admins built-in group. Other built-in groups (ie Account Operators) may fit your needs.
- administrator(s), including me, to perform all the tech supp
Again, Domain Admins group is the place. Should you want to secure administrator accounts, follow this guide
- and any random dept OU based on which I can divide users under marketing, operations, etc
You will mainly need AD groups to enforce GPOs and access rights to shared folders. You should group users depending on those needs. With only 20 users to manage, I wouldn't bother about anything else. Keep it as slim as possible, i.e. create Dept OUs only if you are really going to need them.