As far as I know it's still LSDOU unless something's changed in 2008 which I don't know about. Filtering and ACEs have already been discussed.
On a theoretical level, how could Ben's request work? If Group Policy is AD-based, then you're stuck with the SDOU part unless I'm missing something. Right? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
