Hi all We're in the midst of a desktop rebuild project and will shortly migrate 1500+ machines from XPSP2/Office2003/IE6 to XPSP3/Office2007/IE8. We need to amend our Group Policy structure to accommodate the 'new build' environment alongside the existing environment. We have considered 3 different approaches:- 1. Create a brand new O.U. structure altogether then move users and computers across as and when they are migrated. [Unnecessary duplication of O.U.s.] 2. Retain the existing O.U. structure and add the Office 2007 ADM files to the existing Group Policy Object (GPO) with the 2003 ADM files. [This will increase the size of the GPOs to be processed, hence increase logon times. Also it is unknown whether applying the 2003 and 2007 ADM files in unison will cause conflicts] 3. Create 2 new GPOs (one for Office2007/IE and the other for site-specific re-directed folders). Then add the 2 new GPOs to each UK site within the existing O.U. structure and filter processing of both the existing and new GPOs based on security group membership. We understand this approach follows Microsoft best practice and moves away from the security compromises posed when using the Authenticated Users group, as in the case of our existing GPOs. This is our preferred option but we thought of the following issues:- Q1. We have found user group membership inconsistencies so we cannot rely on altering the existing GPOs by replacing Authenicated Users with office-based groups in the Security Filtering. And surely adding all domains users individually is not practical. Q2. The existing computers are not a member of any office-based groups so we see no easy way to move away from Authenicated Users and apply the appropriate Security Filtering.
Unless the necessary housekeeping is done for all users and computers (time is against us!) these 2 issues may be the show-stoppers that mean we may have to implement a brand new O.U. structure after all. Can anyone offer any help or an alternative solution that we may have overlooked please? Thanks Scott