Group Policy delivers and enforces policies to targeted objects such as users and computers by creating GPOs and linking them to Active Directory domains, OUs, or sites that contain these objects. The way you design your Active Directory structure can thus have a significant impact on the effectiveness of your ability to deploy, manage, and maintain your Group Policy infrastructure.
Most of your Group Policy planning efforts should involve designing the hierarchy of OUs for each of the domains in your forest. You should consider the following issues when designing such an OU structure:
Manageability Your implementation of Group Policy should be as easy to administer as possible.
Delegation You might want to delegate administrative control for specific OUs to specific users or groups in your IT department.
Inheritance When a GPO is linked to a domain, the GPO applies to the users and computers in every OU and child OU in the domain. And when a GPO is linked to an OU, the GPO applies to the users and computers in every child OU of that OU.
Precedence When multiple GPOs that apply to a user or computer have the same policy configured, the order in which GPOs are applied determines their precedence. By default, GPOs are applied in the following order of precedence:
GPOs linked to the site where the user or computer resides
GPOs linked to the domain where the user or computer resides
GPOs linked to the OU where the user or computer resides
GPOs linked to the child OU where the user or computer resides
Also, when multiple GPOs are linked to a specific site, domain, or OU, the link order can be modified. Inheritance also can be enforced or blocked on a per-link basis, and GPOs can be selectively targeted to users in specific security groups or computers of specific types by using security filtering or Windows Management Instrumentation (WMI) filtering.
Meeting all of the preceding requirements can be challenging for organizations that have multiple branch offices, special categories of users or devices, or a complex organizational chart. A good place to start with designing an OU structure that supports Group Policy is to do something similar to what is shown in Figure 2. The basic elements of this OU structure are as follows:
Each geographical location, including both the head office and any branch offices, is represented by a first-level OU in the domain.
Second-level OUs are created beneath the head office OU to represent different kinds of users (administrators, ordinary users) and systems (client computers, servers).
The second-level Computers OU contains two child OUs representing desktop and laptop computers. The Servers OU also contains child OUs for each type of server in the environment.
If different departments in your organization have different requirements, you could modify the OU structure shown in Figure 2 by including a new level of departmental OUs (Sales, HR, and so on) in between the first-level and second-level OUs described.
From the perspective of implementing and managing Group Policy, the advantages of the preceding approach to OU design include the following:
The OU structure is easy to understand and visualize, and your GPO infrastructure will match this simple hierarchy. Keeping things simple is a key to having a manageable environment.
Delegation of administration is easy to implement. For example, if you delegate the authority to perform Group Policy modeling analyses of objects in the Computers OU by assigning the appropriate permissions to the Support group, the group will automatically be able to perform the same task for objects in the Desktops and Laptops OUs, which are child OUs of the Computers OU.
GPOs linked to deeply-nested OUs can have fewer policies to configure than their parent OUs. For example, the GPO linked to the Computers OU could enforce the policies that apply to all types of computers, including both desktops and laptops. The GPOs linked to the child OUs (Desktops, Laptops) would then only have the few policies configured that apply to those specific types of systems. Group Policy inheritance will then ensure that the settings in the GPO linked to the Computers OU will be processed by computers in both the Desktops and Laptops OUs.
