Designing Active Directory OU's and GPO's

Encinitas used Ask the Experts™

I have 3 DC's Windows Server Datacenter 2016 and about 80 other servers with a mix of OS's. Windows 2008 R2, 2012, and 2016. I'm configuring a patch managment solution to deploy Windows updates. I'm lookng for the best way to set up my Servers in their OU's and GPO's. I will need an OU for critical and one OU for non-critical servers.

Should I have all servers with different OS's in one OU with one GPO or should I have separate OU's for each servers OS's?

What is the best practice?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
OU organization is very subjective, so I don't think there is a singular "best practice" for you to follow.

With that said, OUs usually should map to some logical organization map.  Whether that means departments, or locations, or other business groupings.

I usually would *NOT* do OUs for patch rings, nor for OSes. Those are technical groupings, not business groupings.  Security groups and WMI filters are better suited for handling such things.
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018
In addition to the above, proper AD sites and subnet configuration also means that you can target based on site on an AD site instead of an OU

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial