OU Design to Support Security Group Policy
One of the most powerful tools in your Microsoft security arsenal is Group Policy. Group Policy allows you to configure over a thousand client and server settings on all members of an Active Directory domain. A large number of these Group Policy settings are directly related to the security configuration of the computers within the domain. In fact, you can use Active Directory Group Policy settings to harden the machines in your domain.
Group Policy settings can be set at several levels. These include:
- Active Directory Site
- Active Directory Domain
- Active Directory Organizational Unit (OU)
Group Policy settings are implemented through the use of Group Policy Objects (GPO). You can create multiple GPOs with different settings. However, the settings in the GPOs are not applied to any users or computer until you link the GPO to a Site, Domain or OU (SDOU).
Because GPOs can be deployed at different levels, and the settings of the different GPOs can be different and potentially conflict with each other, there must be a defined order of precedence. The order of precedence for GPO settings at different levels works this way:
- Local GPO settings are applied first
- Site GPO settings are then applied. If there is a conflict with current settings, the Site GPO settings override previous settings.
- Domain GPO settings are then applied. If there is a conflict with current settings, the Domain GPO settings override previous settings
- Parent (top level) OU settings are then applied. If there is a conflict with current settings, the Top Level GPO settings override previous settings
- Child (sub) OU settings are then applied. If there is a conflict with current settings, the sub OU settings override previous settings
In addition, there can be multiple GPOs linked to a particular computer or user. In this case, you can control the order of precedence by manually setting the order in which those GPOs are applied.
You can take advantage of this order of precedence by creating an OU design that will support your GPO security configuration as it applies to users and computers. For example, look at the design in the figure below.
As you can see, there is a parent OU for the department. For example, this could be the accounting department. Then there are two sub-OUs: one for Vista users and one for Vista Computers. Linked to the Vista Users OU is a Vista Users Policy. No policy is linked to the Vista Computers OU. Instead, there are two sub-OUs: one for Desktop Computers and one for Laptop Computers. Then two different GPOs are used: a Desktop GPO is linked to the Desktop OU and a Laptop GPO is linked to the Laptop OU.
As you can see from this OU design, it enables you to provide very specific security policies to users and computers. We could have created several more sub-OUs under the Vista Users OU, representing different levels of security that might be applied to different users in the accounting department. We could also have created more Top Level OUs, to support Windows XP.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)