Group Policies and OU Design
Administrators create group policies to limit users from performing certain tasks or to automatically set up specific functionality. For example, a group policy can be established to display a legal disclosure to all users who attempt to log in to a system, or it can be set up to limit access to the Command Prompt, for example. Group policies can be set on Active Directory sites, domains, and OUs but can also be configured to apply specifically to groups as well. This functionality increases the domain designer's flexibility to apply group policies.
As previously mentioned in this chapter, creating additional OUs simply to apply multiple group policies is not an efficient use of OU structure and can lead to overuse of OUs in general. Rather, you can achieve a more straightforward approach to group policies by applying them directly to groups of users. The following procedure illustrates how you can apply a specific group policy at the domain level but enact it only on a specific group:
In Active Directory Users and Computers, right-click the domain name and choose Properties.
Select the Group Policy tab.
Select the group policy that you want to apply to a group and click the Properties button.
Select the Security tab.
Uncheck the Read and the Apply Group Policy check boxes from the Authenticated Users Group, if it exists.
Click the Add button to select a group to apply the policy to.
Type the name of the group into the text box and click OK.
Select the group you just added and check the boxes for Read and Apply Group Policy, as shown in Figure 6.10.
Repeat steps 68 for any additional groups to apply the policy.
Click OK and then Close to save the changes.
Repeat steps 110 for any additional group policies.
Figure 6.10 Adding Read and Apply Group Policy security properties.
This concept of applying a specific group policy at the domain level but enacting it at a specific group in and of itself can reduce the number of unnecessary OUs in an environment and help to simplify administration. In addition, group policy enforcement becomes easier to troubleshoot as complex OU structures need not be scrutinized.