Restrict users to printers and shares in Active Directory

I am relatively new to Active Directory and have trouble understanding the following scenario:

  • I have a set of users in the department of human resources
  • I have a set of users in the marketing department
  • Some users are both human resources and marketing.
  • I create a shared folder that only the marketing department can use
  • I am setting up a shared printer for the exclusive use of the HR department.

Initially, I thought I would do the following:

  1. Add HR users to the HR organizational unit
  2. Add marketing users to the marketing organization unit
  3. Add users to both organizational units
  4. Apply a group policy to the HR organizational unit so that only users can print to this printer
  5. Apply a Group Policy to the Marketing Organization Unit so that only users access the folder.

However, I am stuck at step 3 above because it seems like I can not add users to more than one organizational unit. I've considered using a local domain group instead of an organizational unit, but I think I can not apply a GPO to a group.

I know that there is a way to do that. Where do I lack understanding and what is the right approach to deal with this situation?