Joe,
 The problem is that, as some one else mentioned your OU structure serveves two purposes:-
 
1) To delegate authourity
2) To apply rights and restrictions via GPO's
 
Now if you are going to delegate authourity, as far as I can see, the only way to do that is via OU's. You could apply specific rights to indivual users, but thats messy to manage and impractical. On the other hand users get many rights already because of group membership, so its  (more?) natural to apply GPOs based on group membership rather than having rights or restrictions "drop on you from above" because of where you are in AD. Mind you of course NTFS rights may also descend from above.
 
Dave.
 
As a general rule, I am much more a fan of setting up my GPO structure on an OU basis versus a group filtering basis. If anything applying a bunch of GPOs to an OU a user is in and then filtering out which ones they really have access to with groups would be slower than having multiple OU levels because there are more GPOs to loop through and check. I doubt it would add very much overhead but there would certainly be more than a deployment based on the hierarchical structure would have.

Reply via email to