Group Policy to me is a solution that's both unnecessarily complex and overly simple.' At the one end, you can deploy a GPO to any Organizational Unit in your domain.' That's great when the OU is perfectly matched with the users or computers to whom you want to deploy the setting.
Native Group Policy falls down, however, when OUs and boundaries for settings are mismatched.' The steps get far more complicated when your users are contained in a single OU but you need to deploy a GPO setting to just a few.' They absolutely exist, but making use of them requires careful planning and not a small amount of precise testing.
In this article, I talk about some of the tactics you can use in targeting Group Policy settings.' With Group Policy, you're still forced to apply a GPO to an OU.' But once applied you can tailor its application to a subset of objects through a WMI Filter. In my video, I show you how to use WMI filters to restrict Group Policies.' Native Group Policy can also be made slightly dynamic, if you apply policies to Sites rather than OUs.
In telling this story, I'll also share a few of my dreams for a better way.' That better way exposes GUI-based management rather than WQL queries.' It gives me dynamic targeting rather than workarounds for the settings I need deployed the most.' With a better solution, I might find that I'll use Group Policy more effectively for locking down the computers in my environment.
Have you found any better ways to target Group Policies?