Monday, February 6, 2006

OUs or Groups?

There are two ways of applying different GPO settings to different groups of users:
Method 1: Use two levels of OUs. Users OU, Standard Users OU, Power Users OU, Mobile Users OU, Data Entry Users OU, etc... Link a GPO to the top-level Users OU to configure the greatest common denominator settings for all users. Then link a different GPO to each second-level OU to configure incremental settings for each type of user. Then place the corresponding types of user accounts in each second-level OU. Note that this approach doesn't require you to even create any security groups, but it does mean you have to create a lot of OUs and manage a lot of GPOs.
Method 2: Use GPO Security Filtering. Create a single OU called Users OU and place all user accounts in that OU. Then create different security groups (typically Global Groups) for different types of users like: Standard Users Group, Power Users Group, Mobile Users Group, Data Entry Users Group, etc... Place these security groups in any container in the domain e.g. your top-level OU or even the default Users container. Create and link a GPO to your Users OU so you can configure greatest common denominator settings for all users. Last, create and link the additional GPOs to the Users OU to configure the incremental settings for each security group and then filter each GPO so it only applies to each desired security group.
Credits: Mitch Tulloch

No comments:

Post a Comment