Active Directory, User Groups and Organisational Units

I like the way Active Directory (AD) allows you to group users into Organisational Units (OU). This allows me to group my users into departments and set group policies for members of departments. Being a small company people change roles relatively frequently, so this structure allows me to change users policies very quickly. For example, I have a tighter password policy for the sales team (who are on the road and therefore require remote access) than for office based users. If an office based guy moves to the sales team, I change his policy simply by moving him to the Sales OU. I can also use LDAP to auto-generate phone lists and organisational charts on the intranet based on OU membership.

However, I can't find a simple way to set file and folders permissions by OU. This seems to me an obvious oversight - unless I've missed something obvious (won't be the first time ). It seems I also have to maintain parallel group objects - something that makes me uncomfortable - having duplicate systems usually ends up causing inconsistancies.

Does anyone know how to either set file/folder permission based on OU membership, or tie group membership to OU membership?

 

As a follow up to this, I posted the query on a couple of other sites and hit a blank there too. I got a response from a Microsoft group, but it was along the lines of "no you can't do it ". I still can't see why - to me it seems such an obvious thing to want to do, but who am I to argue.

And one thing got worse. In the answer to my query, it was pointed out that the security setting for password policy could only be set at the AD root. Therefore you can't have different password policies for different OU groups. When I tested the system I realised they were right. This demonstrates that I didn't test the set up properly beforehand. I had foolishly assumed that as you could set the property at a lower level (and do things like stop inheritence) that it would be set for individual lower levels.