I like the way Active Directory (AD) allows you to group users into Organisational Units (OU). This allows me to group my users into departments and set group policies for members of departments. Being a small company people change roles relatively frequently, so this structure allows me to change users policies very quickly. For example, I have a tighter password policy for the sales team (who are on the road and therefore require remote access) than for office based users. If an office based guy moves to the sales team, I change his policy simply by moving him to the Sales OU. I can also use LDAP to auto-generate phone lists and organisational charts on the intranet based on OU membership.

However, I can't find a simple way to set file and folders permissions by OU. This seems to me an obvious oversight - unless I've missed something obvious (won't be the first time). It seems I also have to maintain parallel group objects - something that makes me uncomfortable - having duplicate systems usually ends up causing inconsistancies.

Does anyone know how to either set file/folder permission based on OU membership, or tie group membership to OU membership?