On Wed, Aug 5, 2009 at 1:02 AM, Ken Schaefer<[email protected]> wrote: > Sorry, but I'm failing to see why this particular feature request > is one that should go in, but inevitable requests for additional > extensions to the functionality should not :-)
Because I said so, of course. ;-) To me, it's a combination of the zero-one-infinity rule, and a more fuzzy concept that I'm finding hard to articulate, but has something to do with the fact that it makes sense to be able to apply things individually or in groups. We already have a mechanism for groups, but nothing for individuals (except a degenerate case of groups). I guess I'm thinking along the lines of HKCU vs HKLM registry settings, or /etc/profile vs $HOME/.profile for the Unix shell, etc. Like I said, I'm having trouble articulating this, but I'm pretty sure there's a difference. (I have a reason. Just give me a minute to think of one. ;-) ) Come to think of it, it probabbly would have made more conceptual sense for the design to have GPO application be driven by groups to begin with, with OUs being irrelevant for GPOs. We end up applying GPOs based on group membership a lot anyway, so why not just make that how it works? (I realize that may have been a performance issue, or a code maintenance issue due to all the crufty old NTLM code that still's around. I also realize this is 20/20 hindsight.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
