I have a task to enable IPSEC for computer/server communications. However, there are TONS of systems, 8500 Desktops and boat loads of servers. They are all nicely placed into OU's based on department. Both Server/Workstations are nested in an OU IE
I was considering creating a single GPO linked to the Department OU that configures "Secure Server" since it will initiate encryption to the target if supported. This way all traffice for that OU will be secured and I wont have to make TONS of filters to allow for other systems. The clinets not only communicate with the OU servers but other servers in other OUs. Same with the Servers. They need to be able to respond to non ipsec based systems. The objective is to secure all communications WITHIN the OU.
In the future they may required servers to be required, in that event filters will be needed.
Also, there is a mix of WIndows 7/Vista/XP for desktops 2003/2008 for servers.
As far as filtering the GPO I was just going to link it the OU and leave security filtering to "Authenticated Users" Edit my ipsec policy and assign it.
If I am not doing this correct please help me out.