What is considered best practice? Linking GPOs at the Domain Level with Item Level Targeting or linking GPOs at the OU level?
Link GPO at Domain Level or OU Level????
Even with item-level targeting, best practice would still be to link the policies to the target OUs. Item-level targeting is really more about filtering a policy so it only applies to certain objects within an OU, or subset of OUs. It is a much easier and more robust way to do security filtering. If you know a policy will only apply to a certain subset of OUs, it would be better to link it there, than link it to the domain. Linking every policy to the domain and then doing item-level targeting will cause unnecessary processing, especially during busy times on the domain controller. In a small organization, this might not be noticeable, but as the organization gets larger, this could impact logon times.
Hope this helps,