The way I see it, if I have a GPO and want to apply it, 2 options I have are:
- Linking the GPO to the domain and then scoping to security groups and maybe users
- Linking the GPO to an OU that contains my target users (and maybe security groups)
Ex:
If I have an OU called Administration containing a security group with the same name and 4 users that are members of the security group and I want a GPO to be applied to those 4 users, I can:
- link the GPO to the domain and then select the Administration security group or its members under the scope tab > security filtering
- link to the Administration OU
am I correct?
Is one option better; if yes please explain how.
Thanks
Best Answer
In a large environment, linking a GPO to the top level of the domain is rare. This is due to the potential for impact. It would also increase the number of GPO's that need to be processed for machines/users that would only filter out the GPO.
If possible, it should be done at an OU level. Even in smaller environments, you would find that most GPO's are linked to an OU vs the entire domain.
If you have a hardened administration jump server where most admin activities would be performed, the GPO could be linked to the OU where that server resides, and loopback processing specified to apply the user settings to accounts that log on to that server.
Implementing Secure Administrative Hosts
http://technet.microsoft.com/en-us/library/dn487449.aspx