That's what we do, but different conventions over the years as things increase just gets messy.
We have policies for different departments/sites, production/test, software installs/reg changes, wsus, desktops/servers, etc. The majority of settings are in the default policy, but there are a lot that are not. For WSUS, I wanted to split up the buildings on each site by IP range to distribute the installation to different departments. An example of this is 1 department requires IE7 for a webapp, but another department's webapp is only supported by the vendor on IE6. There is very little cross-contamination of departments within the same section of the buildings. I started with the most recent office opened, 3 floors, 6 IP ranges, so I ended up with 6 GPO's and 6 WMI filters just for the target group in WSUS. Did 1 more site with 4 scopes and never got round to doing the rest of them. The ranges are from 2 to 11 different IP ranges across 8 sites. A lot of moving about to check different settings, just would be nice to have OU's for gpo's and wmi's, just for visibility, easier to see all the related policies without everything else. Thought something like this would have made it into WS08, but unfortunately not, not that we'll be upgrading anytime soon, there was a project in motion to do this but it's been side-lined for one reason or another, think it came down to having to purchase new cals for 2800 desktops, not 100% sure. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: [email protected] Ken Schaefer <[email protected]> 06/08/2009 10:16 Please respond to "NT System Admin Issues" <[email protected]> To "NT System Admin Issues" <[email protected]> cc Subject RE: GPO for a single user Most people use a naming convention to have the list sorted, and this tends to ?group? the GPOs. What sorts of things are you imagining for grouping? Cheers Ken From: tony patton [mailto:[email protected]] Sent: Thursday, 6 August 2009 4:02 PM To: NT System Admin Issues Subject: Re: GPO for a single user I'd just be happy with a way to organise GPOs and WMI Filters, instead of a big flat messy list of both. It would be nice to have them grouped in some logical fashion. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: [email protected] Ben Scott <[email protected]> 05/08/2009 18:14 Please respond to "NT System Admin Issues" <[email protected]> To "NT System Admin Issues" <[email protected]> cc Subject Re: GPO for a single user On Wed, Aug 5, 2009 at 1:02 AM, Ken Schaefer<[email protected]> wrote: > Sorry, but I'm failing to see why this particular feature request > is one that should go in, but inevitable requests for additional > extensions to the functionality should not :-) Because I said so, of course. ;-) To me, it's a combination of the zero-one-infinity rule, and a more fuzzy concept that I'm finding hard to articulate, but has something to do with the fact that it makes sense to be able to apply things individually or in groups. We already have a mechanism for groups, but nothing for individuals (except a degenerate case of groups). I guess I'm thinking along the lines of HKCU vs HKLM registry settings, or /etc/profile vs $HOME/.profile for the Unix shell, etc. Like I said, I'm having trouble articulating this, but I'm pretty sure there's a difference. (I have a reason. Just give me a minute to think of one. ;-) ) Come to think of it, it probabbly would have made more conceptual sense for the design to have GPO application be driven by groups to begin with, with OUs being irrelevant for GPOs. We end up applying GPOs based on group membership a lot anyway, so why not just make that how it works? (I realize that may have been a performance issue, or a code maintenance issue due to all the crufty old NTLM code that still's around. I also realize this is 20/20 hindsight.) -- Ben ==================================================================== http://www.quinn-insurance.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance, unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. ==================================================================== QUINN-Life Direct Limited is regulated by the Financial Regulator. QUINN-Insurance Limited is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. ==================================================================== QUINN-Life Direct Limited is registered in Ireland, registration number 292374 and is a private company limited by shares. QUINN-Insurance Limited is registered in Ireland, registration number 240768 and is a private company limited by shares. Both companies have their head office at Dublin Road, Cavan, Co. Cavan. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
