I thought this Information Week article did a good job of articulating the challenges of security compliance on Windows, and the use of Group Policy as the first line of defense here. Most folks have been using GP to lockdown their desktop systems for a while now, but the reality is that Group Policy is THE mechanism for managing security configuration if your targets are Windows desktops and servers. However, there are challenges that folks have to deal with, as the article points out. Knowing whether policy actually worked across your environment, especially for sensitive security configurations, is a tough problem to solve. Its one of the reasons that we have been working to release the Group Policy Compliance Agent, which is a new product that will run on your Windows servers and desktops, and will collect vital statistics about GP processing. Most importantly, the agent will be able to optionally validate that settings that are reported by Resultant Set of Policy (RSoP) have actually been made successfully in the system’s registry or security configuration. This will go a long way towards closing the loop between setting policy, and hoping that it has actually applied, let alone being able to prove it to your auditors!