+ 0 Votes Used a sub-organizational unit contact 4 years ago Ok, not sure if this is the best way to do it, but it worked. I created a sub-organizational unit under the OU where my individual user existed. Moved her down there and then added the GPO the new sub-OU. I could then also add the other OU that needed the GPO. If anyone has a better way to do this, let me know.~Pat + 0 Votes tough to provide suggestions CG IT 4 years ago OUs are logical structures and without knowing how the OU structure is, providing a suggestion is a guesstimate. OUs are containers and well like tupperware, you can nest them. you can apply OUs to the outer, inner, middle or any combination. The resultant set of policies are much harder to figure out without running RSOP tool. The other thing is that OUs being containers, making one up for just one user adds a level of complexity that might not be necessary. But as with anything,you have to keep track of what is what and the more complex system you have the more problem it is to keep track of what is what. Microsoft best practice on OUs is more than 4 levels and your asking for problems. Less is more. + 0 Votes Organizational structure contact 4 years ago My organization is quite small, maybe 200 users. I only have four non-standard OUs and only one level deep. The area I'm talking about here is I want to apply a GPO to a OU called Senior Staff and to one person in the Administration OU. I created a OU under Administration called Privileged Admins moved the person to that group and applied the OU to that group and the Senior Staff group. No sooner had I done that when I was asked to add one more person from the Administration group to the Privileged Admins. Seems like a reasonable approach, but I'm curious if there is a better way.~Pat + 0 Votes yeah it's reasonable..... CG IT 4 years ago Group Policies propogate from parent to child. So your OU called Senior Staff is a child of your Administration OU. Group Policy applied at the Administration OU level gets applied to the Senior Staff OU level and then the Group Policy at the Senior Staff OU gets applied. The resultant set of both policies is what matters. If the resultant set of both policies is not what you want, you might have to tweek or put no override in. So this is probably why no one jumped in to provide suggestions. Group Policy can get complicated and result in policies you might not want certain users to get, get them or what you thought they would get they don't. That and most are across the ocean in time zones 6 to 8 hours ahead. + 0 Votes Use security filtering on your GPO bulk 4 years ago Keep the OU hiearchy simple, as always. Create and link the GPO to both the Senior Staff and Administration OU's.Create a global group named Privileged Admins. Add all the Senior Staff and the one (now two) admin staff to that group.Remove "Everyone" read, and apply GPO permissions from the GPO, and add the new global group instead, so that only this group has read, and apply GPO permissions to the GPO. Conventionally you'd actually give a local group those perms and add the global to the local - you know...Hope that helps,RichardSwitzerland + 0 Votes If necroposting was a crime NexS 4 years ago I'd have you in gaol.