As discussed in the earlier blog post introducing the new Exchange 2007 console, the Exchange Management Console GUI has been completely redesigned in Exchange 2007. While redesigning the Exchange ...
Updated Jul 01, 2019
Version 2.0
Blog Post
I almost forgot to mention with regard to policies; Help desks and IT in general don't often want to deal with individual user accounts when they could deal with whole teams/departments/organisations. That being said, why wouldn't it make sense to permit policy to be applied to groups and OU's. Department and other attributes are nice - when they can be applied - but really, this would be the ultimate way to ensure the right policy is applied to the right place.
I love OU in particular, since it has implied conflict resolution. If you apply a policy to one OU, and then another to an OU contained within that, the policy closest to the user would win. For example, the Microsoft OU has a Server Activesync policy applied to require a password of 4 characters. Within that, the Redmond OU has another Server ActiveSync policy which specifies 8. The Redmond one wins - except for the user who has an explicit policy assigned that specifies none (the boss, of course).
That seems a fairly neat way to resolve it; of course, there could be configurable behaviour that allows individual organisation to specify this (could be farthest first wins). This could even be a cmdlet to make you guys happy ....
Now with groups, that's more complex. A user could be part of two groups (Development and Production), each with a Server ActiveSync policy applied. Which one wins? Obviously one has to, all the time, in order to maintain consistency.
So given that you've associated policies with groups, you could keep an enumerated list of all groups. The administrator can then select which one has precedence. This is limited, but then you'd want to encourage people to use OU's for flexibility.
Alternatively, have an option to allow administrators to specify whether the most restrictive or the least restrictive wins. Give them a little query tool to test it - bingo!
Finally, and most messy, create a new type of AD group - the "policy group" and users can be assigned to that to determine which policy they get - and they can only be in one policy group at a time. I don't much like that one and feel dirty for writing it.
I'd especially like to see OU's implemented. I think it could really help Exchange administration. If you think about an organisation with OU's for Marketing, IT, Sales, Executive, etc ... each with their own particular requirements for email addresses, mailbox management, Activesync settings - sure, you could set it on a per user basis, and fiddle around with little cmdlets to automate it. Or it could just be built into the product in the first place and make customer think "Oooh, what an amazing feature that just saved me time, effort, and even money. I think I'll make best use of that time to go evaluate a new Microsoft product; I could even make a business case for it using the money we saved." :-)
Late in the cycle? Sure, but you have so much of it there already. Why not take the time to put it in and make it good!