Best Practice - 1 large domain level gpo vs several smaller OU level gpo

• Wednesday, May 23, 2012 6:06 PM

   

   
  

  0

  So we are in the process of setting up printer deployment via GPO with user preferences but we are unsure what would be the best way to manage this.  

  Currently its setup like this.

  • About 30 OU's based on geographical location
  • Each one has a printers GPO linked to it for the printer in their area - all users in the ou get it
  • When someone from another OU need to print to a printer in a different location we have to add that printer to that GPO and use item level targeting to keep other users in the same OU from seeing that printer as well.

  So as you can tell this can be kind of messy.  So I'm thinking of changing it to this:

  • Create a security group for each printer
  • add any users that need that printer to it.
  • create a single domain level policy with all printers in it.  Each one pointing to the respective security group.

  So here is my concerns and questions.

  1. In the current setup.  When the user logs and and it processes the gpo's does it read and process only linked gpo's that apply to that user or does it read all gpo's, even one say linked to another OU, then process only the ones that apply to them.
  2. In the new setup concept there will be roughly 50 printers in this one GPO but only 1-3 will be installed based on what groups that user is a member of.  Will this take a long time to run?

  Thanks all for the help in advance. 

  • Reply
  • Quote