Lesson 16 of 60 intermediate

OUs, Groups & Group Policy

Central control without chaos

Open interactive version (quiz + challenge)

Real-world analogy

Think of AD as a skyscraper. OUs are floors, groups are team memberships, and GPOs are the building’s rules (‘no shoes on carpet floor 5, strict dress code on floor 10’). Well-designed floors + rules = a clean building. Messy floors + rules = a building where nothing works and everyone blames IT.

What is it?

OUs organize directory objects, groups collect identities for permissioning, and GPOs push consistent configuration. Together they turn AD from a phonebook into a policy engine that governs thousands of machines and users predictably.

Real-world relevance

A bank wants every branch laptop to enforce screen lock after 5 minutes, disable USB storage, and use a specific proxy. A GPO linked to the Branches OU does this once — instead of configuring 2000 machines manually. New branch laptops inherit automatically.

Key points

OUs — containers with purpose — Organizational Units group objects for two reasons: delegation (who can manage these objects) and policy targeting (which GPOs apply here). Don’t build OUs to mirror the org chart blindly — build them to serve admin and policy needs.
Groups — Global, Domain Local, Universal — Global: members from the same domain. Domain Local: used for permissioning resources. Universal: used across domains in a forest. The classic pattern is AGDLP — users in Global groups, Global into Domain Local, and Domain Local gets the permission.
Security groups vs distribution groups — Security groups control access (file shares, apps). Distribution groups are mailing lists only. Mixing them is a common rookie mistake — a distribution list can’t grant file access.
GPO — what it really is — Group Policy is a bundle of settings (security, scripts, software, registry, preferences) linked to a site, domain, or OU. It applies to users and/or computers within the scope at logon and at refresh intervals.
Processing order — LSDOU — Local → Site → Domain → OU (nested OUs apply in order). Later settings win over earlier ones by default. ‘Enforced’ links override this. ‘Block inheritance’ can stop propagation — use both sparingly.
Security filtering & WMI filters — Security filtering limits a GPO to specific users/groups. WMI filters apply GPOs only to machines matching a query (e.g., Windows 11 only). Powerful but easy to misuse.
gpresult & gpupdate for troubleshooting — gpupdate /force reapplies policy. gpresult /h report.html generates a human-readable applied-policy report. These two commands answer most ‘did this GPO actually apply?’ questions.
Delegation of control — Granting helpdesk the ability to reset passwords in a specific OU — without giving them Domain Admin — is a core AD skill. Done via Delegation of Control Wizard. Minimize privileged accounts wherever possible.

Code example

// Mini AD design for a fictional mid-size enterprise

contoso.local
 ├── OU=HQ
 │    ├── OU=Users
 │    └── OU=Computers
 ├── OU=Branches
 │    ├── OU=Dhaka
 │    ├── OU=Chattogram
 │    └── OU=Sylhet
 └── OU=IT-Admins
      ├── OU=HelpdeskAccounts
      └── OU=ServerAdmins

Groups (Global):
  G-Branches-Users, G-Branches-Computers, G-IT-Helpdesk

Groups (Domain Local / Resource):
  DL-FileShare-HR-RW, DL-FileShare-Finance-RO

Pattern: users -> G-* -> DL-* -> permission on share

GPOs:
  GPO-Baseline-All-Computers  (linked to Domain)
  GPO-Branch-Lockdown         (linked to OU=Branches)
  GPO-HR-MappedDrive          (security-filtered to G-HR)

Line-by-line walkthrough

1. Mini AD design example
2. Domain root
3. HQ floor
4. HQ users
5. HQ computers
6. Branches floor
7. Dhaka branch OU
8. Chattogram branch OU
9. Sylhet branch OU
10. IT admins floor
11. Helpdesk accounts
12. Server admins
13. Blank separator
14. Global groups heading
15. Role-focused global groups
16. Blank separator
17. Resource groups heading
18. Read-write HR file share group
19. Read-only Finance file share group
20. Blank separator
21. Design pattern line
22. Blank separator
23. GPO layer heading
24. Baseline GPO across domain
25. Branch lockdown GPO
26. HR-filtered drive map GPO

Spot the bug

GPO intended for Finance is accidentally linked to the Domain root.
Now the Finance desktop wallpaper appears on every machine company-wide.

Need a hint?

Which two settings let you fix the scope without unlinking?

Show answer

Either move the link to the OU=Finance OU (correct design), or apply Security Filtering so only the Finance security group gets the GPO, and/or use WMI filtering by OU/department attribute. Document the change and test with gpresult before announcing the fix.

Explain like I'm 5

OUs are floors in a building. Groups are teams. GPOs are the floor’s rules (lights out at 10 PM, no eating at desks). Put people on the right floor in the right team and the rules just work.

Fun fact

‘AGDLP’ (Accounts -> Global -> Domain Local -> Permissions) may sound like bureaucracy, but it’s the pattern that lets AD scale from 10 users to 500,000 without rewriting permissions every time someone changes role.

Hands-on challenge

Sketch an OU and GPO design for a fictional 3-branch company with HQ + IT admins + 2 business units. Mark which GPOs link where and which groups get which file-share permissions.

More resources

Group Policy overview (Microsoft Learn)
Best practices for AD OU design (Microsoft Learn)
Group Policy for beginners (John Savill)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp