Up until now I have just left all the users and computers in my domain in the domain root.
I've been considering how I might better organize my AD, but I don't see the advantage of using OUs yet.
Right now, I organize everything using security groups, and then apply GPO using security filtering.
If I organize everything by OU, it seems to me all it will allow me to do is remove security filtering on a few GPOs. But it also seems it will make figuring out membership and inheritance more complex overall.
What am I missing here?
I found these two threads where it seems others are similarly confused about how to make good use of OUs:
Structuring an OU to properly model an Organizational Hierarchy
Apply group policy to specific users (in an OU) on specific computers (not in an OU)
Best Answer
Mostly the reason for putting users on OUs is for Organization as the name purposes.
Mainly, the most important reason is GPOs. OUs help you to isolate GPOs, you can direct GPOs by using the security options or WMI filters, but WMI filters are real performance killers, and generally cause slow logon.
Other important benefit is the possibility to delegate control of OU to users. That way you can make your security stronger and delegate functions to non adminsitrator users. The less privileges a user has, the better.