GPO design advise?

[cajuntank]

Right now, I have OU(s) created for my individual sites. There are child OU(s) under each of these for users and computers respectively. Most of my users (being teachers and students), I have created a "Restricted" GPO which locks them down pretty good. I have administrative users which I would like to keep fairly open.
Creating a GPO, defaults the security filter to "Authenticated Users". Since my "Restricted" GPO has restrictions in both Computer and User Configuration sections, will I have to create a user and computer group to replace the "Authenticated Users" under security filtering or is there a better design?

 

[theravager]

Hard to say, you can either put the users in a ou to apply different policies or you can bind by security groups.

There isn't really a right or wrong answer here, it sort of depends on how complex and how many Group polices are in use and business function, generally one way lends itself better then another.

Generally its better practice to not create Group Policies with both computer and user settings but keep them seperate. Once again its just 'depends'

 

[baddos]

I prefer to use OUs to filter out different policies than the sercuity settings. It's easy to read for someone else to quickly see what is going one, without having to run gpresult at the affect computer/user.

You can do some nice things with inheritance too, either accepting or blocking it.