AD Best Practices, General info needed

Hello everyone,

I currently have 10 sites in AD, and that is also reflected in my OU structure.  The structure is something like this:

                                  Site (ou)
admins   contacts   groups  servers unmanaged   users  workstations laptops

What is the difference in applying a GPO to the site (in AD sites and services) vs. applying them to the OU's that reflect the sites? Does it make a difference in regards to the processing of the GPO?  

If I want a GPO to apply to certain users, would I be better off having that GPO encompass an entire site, but only applied to groups in the security permissions?

If someone could point me in the right direction to a effecient and intiutive GPO structure, it would be greatly appreciated. Thanks.
LVL 11
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Leandro IaconoSenior Premier Field EngineerCommented:
There really is no difference in your case as to OU/Sites ... you might have logon time issues but in your case since you have OU reflecting that of sites, it would be the same thing.

Microsoft always recomendes using the "deny" in security permissions for a GPO as less as posible. If you can avoid using it, go that way. If its a very specific situation use the deny option ... its there for a reason ...

Let mee see if I can post more info on GP site vs ou ...
Leandro IaconoSenior Premier Field EngineerCommented:
"Group Policy on sites
Group Policy objects that are applied to Active Directory site objects affect all computers in the site. Directory information is replicated and available among all the domain controllers in the site and to any domain controllers in sites for which a site link has been established. Therefore, any Group Policy object that is linked to a site is applied to all computers in that site, without regard to which domain (in the forest) contains the computers.

This allows multiple domains within a forest to receive the same Group Policy object (and included policies), although the Group Policy object exists only as a stored entity on a single domain and it must be read from that domain when the affected clients read their site-linked Group Policy.

If child domains are set up across wide area network (WAN) boundaries, the site setup should take this into account. If it does not, the computers in a child domain access a site-linked Group Policy object across a WAN link. This increases the processing time for Group Policy."

See where I was going with logon timings? but in your case, I would apply directly to OU, instead of site. Site is only bassicly used when you want to span a same GP over several domains ... and you should only apply to site when you want to achieve this type of goal ...

If not you should apply to OU... but agian, in your case, it would be basiclly the same thing ...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bwalker1Author Commented:
Leandro IaconoSenior Premier Field EngineerCommented:
No problem!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.