• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 43
  • Last Modified:

Designing Active Directory OU's and GPO's


I have 3 DC's Windows Server Datacenter 2016 and about 80 other servers with a mix of OS's. Windows 2008 R2, 2012, and 2016. I'm configuring a patch managment solution to deploy Windows updates. I'm lookng for the best way to set up my Servers in their OU's and GPO's. I will need an OU for critical and one OU for non-critical servers.

Should I have all servers with different OS's in one OU with one GPO or should I have separate OU's for each servers OS's?

What is the best practice?

2 Solutions
Cliff GaliherCommented:
OU organization is very subjective, so I don't think there is a singular "best practice" for you to follow.

With that said, OUs usually should map to some logical organization map.  Whether that means departments, or locations, or other business groupings.

I usually would *NOT* do OUs for patch rings, nor for OSes. Those are technical groupings, not business groupings.  Security groups and WMI filters are better suited for handling such things.
Shaun VermaakTechnical Specialist/DeveloperCommented:
In addition to the above, proper AD sites and subnet configuration also means that you can target based on site on an AD site instead of an OU
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now