The Group Policy architecture is flexible and allows for many types of design. The guiding principle as you design your organizational unit structure should be to create a structure that is easy to manage and troubleshoot.
Delegation of authority, separation of administrative duties, central versus distributed administration, and design flexibility are important factors you'll need to consider when designing Group Policy and selecting which scenarios to use for your organization.
How you design your organizational unit structure and GPOs will depend on the administrative requirements and roles in your corporation. For example, if administrators are organized according to their duties (such as security administrators, logon administrators, and so on), you may find it useful to define these policy settings in separate Group Policy objects.
Delegation of authority will depend largely on whether you use centralized or distributed administration in your corporation. Based on their particular corporate requirements, network administrators can use security groups and Discretionary Access Control List permissions to determine which administrator groups can modify policy settings in GPOs.
In general, do not try to model your organizational unit structure based on your business organization. Rather, design your organizational unit structure based on how you administer your business. General guidelines for using GPOs and policy features:-
- Separate Users and Computers into Different organizational units
- Minimize the Number of Group Policy Objects Associated with Users or Computers
- Minimize the Use of the Block Policy Inheritance Feature
- Minimize the Use of the Enforce Feature
- Use Loopback Processing Only When Necessary
- Avoid Using Cross-Domain GPO Assignments
- Avoid Editing the Default Domain GPO
