Benefits to using an OU-based GPO layout
-
Easier to immediately see the effected set of objects
-
Less overhead involved than managing additional security groups
-
Less replication to other DCs and smaller user tokens, since you don't need a bunch of extra security groups (this probably doesn't matter much to a smaller infrastructure like you describe)
-
In most organizations, almost all policies can apply at an OU level in a well designed AD
-
Easier delegation
Benefits to using a scope-based GPO layout
-
More flexible
-
Solves the where should I put this object? problem that comes up for employees that might "straddle" departments
-
You can delegate the ability to add members to groups, which will allow helpdesk staffers to manage what policies apply where without giving access to changing GPOs
In reality, most organizations that I've dealt with take a hybrid approach. A GPO that can be applied based on OU typically is assigned to an OU and anything that "crosses" OUs or needs to be filtered to a subset of an OU uses security filtering or item-level targeting.
In fact, I actually just deployed a single GPO to map 50 printers to various departments and it was linked at the domain level and uses item-level targeting - yet almost all of the other GPOs that we have are linked to an OU with the default security filters.
TL;DR - do what makes sense for your organization.
