Group Policy and OU structures

Hi all,

I need some input and thoughts on properly designing an OU structure that is practical and scalable. I will also need some links and articles when possible to back up these ideas. I am under the impression that an OU structure should be designed to minimize the use of filtering. I think that you OU structure should be designed in a manner where you can apply your GPO's to the specific OU that you want it to affect and kind of design your domain structure that way.

But I have come across a source that introducing a new concept to me. This is applying all of your GPO's at a top level and using security groups to control who the GPO affects. I would like to know if anyone has used this method and if so how has it worked?
I also would like to know if GPMC's RSoP will be properly diagnosed against a user and computer if this concept is applied.

If my OU is broken into depts and have some settings that I only want to apply to a portion of the dept. What have been some practices that are proven to work well. Your thoughts? Thanks.
Who is Participating?
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerConnect With a Mentor IT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Dan, I do believe you have a good understanding of the methods..  I would like to say, you need not create "27" OU's as many users are affected by the same ones and you just link them to whatever OU's you want them applied to.  As for having to "Unlock" the desktop to check, I either log on as a user with more rights to get around this OR I temporarly put the user in a group that can do what I want.  Same thing.  We have 2 different ways of doing the same thing, all with their own pros and cons.  Dan, it's whatevery you feel comfortable with.  If you are used to traditional, set it up that way and in a non production environment test the filtering.  If that works better and you are more comfortable, then go with that.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Because you can't put objects into more than one OU (but you can "accumulate" OUs), I've always done and been told to create OUs like this:


Now you put everyone into "Accounting".  Then you put the Support Staff into Accounting\SupportStaff, and your CPAs into Accounting\CPAs.  And CPAs that are management into Accounting\CPAs\Management.  And non-CPA Management into Accounting\Management.  Etc.
I can recommend the approach with security group filtering. The advantages:
* Your GPOs are all in one place, which makes for easy editing.
* You can easily control which user gets which policies applied, simply by adding/removing the user from groups. That way, you can basically determine the RSoP by yourself. Not to mention that it makes it pretty hard to lockout an Admin account ny accident.
* It eliminates the need to configure the same policy settings multiple times (for the different OUs). You group together settings that are related to each other (for example Office), and pack them into a single GPO.
An example for this:
Say you want to have the following:
* A locked down desktop for most users
* A locked down Office for some users too
* Some common general Office settings for all users
You create three groups, for example GPol-DesktopLockdown, GPol-OfficeGeneral, GPolOfficeLockdown.
You create three GPOs, for example DesktopLockdown, OfficeGeneral, OfficeLockdown.
In the Desktop Lockdown, you obviously set the policies for a tightened desktop.
In OfficeGeneral, you set the common Office settings (save paths, whatever).
In OfficeLockdown, you disable macros.
In the GPOs, you remove the Authenticated Users group from the Read and Apply permissions, and set it for the group instead.
Join the users to the respective groups, and you're done.

The "apply to only a portion of a department" is a breeze with this construction. You don't have to think in terms of OUs or departments when you're working with this type of policy configuration; instead, all you have to do is look at the user's needs and put him into the respective groups. A secretary is likely to have th same type of desktop, whether she works for department A or department B; so why configure the same policies twice in two different OUs?
All you have to do is some careful planning of how to break down and/or combine the necessary policies.

Oh, and, yes, the RSoP will of course be determined correctly. And leave the default domain policy alone, if possible.
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

danhilaireAuthor Commented:

Thank for that comment, that really enlightens me on this concept.
-Would you happen to know any disadvantages?
-Does Microsoft document this method or are there any articles that you might know of?

I would like to get as much info on these different concepts as possible in order to make the correct decisions.
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
I have to go with leew on this one.  Group policy is designed to go with OU's and only indirectly can you have a security group affected by group policy.  You cannot assign group policy directy to a security group.  Create your OU structure and apply top level GPO's where you need them and lower level GPO's for specifics.  This will keep your GPO processing to a minimum and by using the new GMPC or Rsop, you can see what is affecting what.

I learned both types for doing Group policy and I prefer this method.  I belive the other just overcomplicates things.  Just my humble opinion.

Mike KlineCommented:
How many people are in your organization?

If you apply the GPO only at the top level then use GP filtering the rest of the way then that will work but you can imagine that over time the GPO filtering could easily get out of hand and become very confusing.

I do agree that you place your broad GPO's at the top level and but then I would create a new OU for sub groups that may need changes and link those GPOs to the child OU's.  

I've always liked Standford's OU design page

oBdAConnect With a Mentor Commented:
There aren't any disadvantages I can think of; and you can use a single top level OU to apply policies for a domain of several hundred users this way.
Using security group filtering to apply GPOs is fully documented and supported by Microsoft; after all, they designed it that way. Have a look especially at the first two articles, KB322176 and KB315418. So basically (and I have to disagree with samccarty here), you can indeed assign a group policy directly to a security group, as you could in an NT4 system policy (if you've ever used those); just the means to do it have changed a bit.
And I don't want to turn this into a religious war, but I'm afraid I disagree with samccarthy again on the topics of "GPO processing" and "overcomplicating things".
Once you start setting GPOs at different OU levels, you will face two problems:
* You will *have* to use tools like the GPMC or RSoP to find out which user gets which policy applied why and from where. If you're looking for something specific, you'll have to find the user's OU, check the GPOs for that OU, check the GPOs in any OUs above that, and so on. It gets even more confusing if the same policy is set differently in different GPOs at different OU levels. In my humble opinion, that makes this approach a lot more complicated than to simply look at the groups the user is in. If you use a smart naming scheme (like letting your "policy control" groups start with "GPol", and using names you can identify easily), it's really easy to find out which policies are applied to which user; the why and from where is obvious.
* Applying policies from OUs only doesn't really keep GPO processing to a minimum; the contrary is true. When a user logs on in a down-level OU, all GPOs from all up-level OUs are applied and have to be processed as well. Basically the only way to avoid this is--you've probably already guessed it--security group filtering. So if you have to use filtering anyway, you might as well keep your GPOs together instead of spreading them out over different OUs.

As for the part about "Group policy is designed to go with OU's": yes, group policies are applied to OUs, but that's about all the connection there is. OUs are Organizational Units; as such, they're in no way meant to manage and diversify your users in such a way as to best fit your group policy application. Group policies only have something to do with your organizational structure if you start delegating control over OUs to other departments, and they want to apply their own policies; but then again, the OU that is delegated can be considered "Start of Authority", and the same procedure followed by the admins there.
In other words, you can see group policies as network resources as well as files and folders--and when accessing shares, files, folders, printers, whatever, you use groups to control the access, so you should use them as well when accessing policies.
If you have the need for completely different settings for different OUs, you can easily create some second-level OUs, and apply the policies starting from down there instead of top-level, again with security filtering.

Just combine and group the policy settings to your needs. And don't forget that, similar to applying policies to OUs at different levels, you have a GPO priority when you apply several GPOs to the same OU. Make smart use of it, and you can keep the necessary GPOs to a minimum.
Another wise thing to do (in my humble opinion again) is to keep the "Computer Configuration" and the "User Configuration" settings strictly apart. There's no reason at all to create a GPO in which policies in both categories are applied; one is "Per Machine", the other is "Per User", and there's no connection that I'm aware of that would justify combining the two in a single GPO. That will give you the possibility to disable the respective other part in a GPO; in a "Per User" GPO, you can disable the Computer configuration, and vice versa.

Here are some links that might be useful:

HOW TO: Administer GPO Properties in Windows 2000

HOW TO: Optimize Group Policy for Logon Performance in Windows 2000

Group Policy Objects Applied to Organizational Units Containing Only Groups Are Not Applied to Members of Those Groups

Group Policy Should Not Be Filtered By Domain Local Groups

Troubleshooting Group Policy Application Problems

Step-by-Step Guide to Understanding the Group Policy Feature Set

White Paper: Introduction to Windows 2000 Group Policy

White Paper: Windows 2000 Group Policy

Windows Server 2000 Resource Kit: Chapter 4 - How Group Policy Works

Windows Server 2000 Resource Kit: Chapter 22 - Group Policy
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
As with many things, each administrator will have their own opinion.  I respect others with differences, however on this one, I'm going with what I was taught and know works for the networks I set up.  While Microsoft might support Group policy as suggested by odba, and I was taught that too, it is not the recommended method.  

Here is a link for Deploying Group policy in a 2003 environment.  It uses the traditional method.
Designing the structure properly in the first place does minimize processing.  If not designed properly, there can be issues.

Group policy is applied to OU's.  You are Filtering or modifying an OU policy when you are applying it to Security groups.  While small in the grand scheme of life, it is an important difference.  In my opinion, it is also asking for more complications and problems for the average user trying to setup Group Policy for the first time or for someone not very familiar with it.   As mkline71 said, and I agree, "over time the GPO filtering could easily get out of hand and become very confusing."  For an advanced user such as yourself this may not be an issue, but I have cleaned up too many networks where the worse enemy was the engineer themselves overcomplicating things.

The poster asked for an opinion, this is mine.  They can make their own conclusions from the posts.
danhilaireAuthor Commented:
There are about 1700-2000 users and growing,

Thanks for that link. It has some very useful information.

Hmmm, that is some great information and well...a new concept to me that looks like it can work, although it doesn't seem to be the way Microsoft is teaching it (I mean in MOC classes, they usually say to keep filtering to a minimum). But, it sounds like if you understand the concept of assigning permissions, then you should be able to assign all of your Group Policies by just assigning user to groups instead of applying the policy to the OU where the users are.
Some questions:
1. If you apply your policies at the top level, won't the computer settings affect DC's where the setttings are not configured in the Default Domain Controller Policy. And if so, how do you stop that?
2. you said, "Group policies only have something to do with your organizational structure if you start delegating control over OUs to other departments, and they want to apply their own policies..." Are you sure thats the only time, or can you think of any another?

It either case, it seems like just 2 different ways of doing the same thing. At the end of the day, we all have the same goal when it comes to Group Policy, to give a group of users the same settings. It seems like what you guys have a difference of opinion of is, how to GROUP your users. We can either group them by, OU's, which seem to be the tradional way), or we CAN group them by groups - which is what groups Are for anyway. I was only taught OU's which is why I kind of phreaked out when I heard about putting all of your GPO's on one level and just use filtering. But now, understanding the concept, it seems like a viable way of applying Group Policy. It's just applying permissions and the rules are that everyone under the Policy sees the Group Policy unless the administrator takes them out.
In the tradional method, you have to get creative with OU's. With filtering you have to get creative with Groups.
In either case, you should still be disabling the computer or user configuration where applicable to minimize logon processing. And eventually, using either method, you will eventually come across a situation where you have to create a sub OU, or you have to use Filtering.

Would you all agree to that?
With "top level OU", I'm simply referring to an OU that's above the others where you want to apply the settings; this doesn't have to be on the domain level.
So you can easily create, for example, an OU "Acme Users" and an OU "Acme Computers" under a domain acme.local and go from there.
As for applying policies to computer, you can do that the exact same way as with users; in an AD domain, you can make computer accounts members of groups, too.
As I said, OUs are a way to reflect your organizational structure in a way that suits best your needs. If that happens to fit the way you want to apply group policies, all the better.
But creating some "creative" OU structure, for the only reason to apply some combination of policies, is, in my opinion, incorrect usage of OUs. I see policies just as resources, just that they're applied to OUs.
You simply have a lot more flexibility when you work with group filtering.
Small example, nothing too fancy: Let's say you have a locked down desktop for your users. Every now and then, you need to unlock the desktop to check for some errors in an application; for this, you still need to apply most of the policies to the user because of other necessary settings that are defined via policies.
With filtering, you just remove the user from the "GPol-DesktopLockdown" group and you're done.
With OUs, it's more complicated. You'd have to create a separate OU, with all the settings except the desktop lockdown defined, and move the user into this OU.
The point is, you usually have a wide variety of different policies that are applied to different user configurations, and the simple combinatorics involved will reliably prevent the use of OUs only. Imagine, nothing too fancy again, three possible Office configurations, three possible IE configurations, three possible desktop configurations, and users may need any combination. To sort that out with OUs only, you'd need 27 of them. With filtering, you're down to 9 groups controlling 9 GPOs.
Only if you have a few, really well-defined static configurations it might make sense to create OUs just for the policies.
If you're using terminal servers and have the need for different policies, depending on whether the users log on to their desktops or the TS, then there's no way around filtering anyway.
So given your user number, you'll probably end up with a combination. Some top-level OUs for "rough" sorting, and then some GPOs that are applied with filtering for fine-tuning.
Do a thorough research about what you want and need to achieve and configure with policies, then develop a configuration that suits your needs best. Pick the best of both worlds.
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Thanks and good luck!
All Courses

From novice to tech pro — start learning today.