Back to basics here, the Organizational Unit (OU) structure of an Active Directory domain is critically important; it is a delicate balance between full-service central management, flexibility, and a simple, intuitive layout. And yet, there are some settings that may need to be applied globally to users or computer accounts that exist in a number of different OUs.
With a little work upfront, administrators can create Group Policy Objects (GPOs) for an OU or the entire domain but only apply it to users or computers that are members of a security group. This can be especially valuable for computer and user accounts that have configuration requirements that do not align to the OU structure. The process is the same for a computer or user account, but this is a good first step to separate filtering for each type.