Well, both reasonable ideas, although both rely on configuration settings that are per machine. I don't see how I could handle mobile users that travel from site to site
Good point. If you have a large enough peripatetic staff base then that would be a problem. If you were going down the group route then you'd base your "branch" group's name on the local (masked) subnet and create the hierarchy as before.
