But not every server in an environment of several hundred servers is going to have the same policies, so wouldn't this check false all of the time? Are most users defining this policy for small groups and then auditing those groups against the policy?
I can't imagine large enterprises having the same policy for all servers.
Very good points. The ability to have multiple policy's is a Product Enhancement Request (PER) I know has been made before. I'm unsure of the plans to add it. However if you add your 2cents by submitting a PER yourself it might give it a better chance of happening.
To submit a PER go here:
As far as how other customers are doing this, I would have to let them weigh in to be sure, but I think they modify the policy as needed.
I hope that helps!