So as I go about attempting to correct/clean-up/set-fire-to my predecessor's network, i have come up against a dilemma. We use an application which is intended to be setup on a workgroup despite the main server being Server2003, I have no idea why the vendors set it up this way.
If things were normal, I could just VLAN them all into a workgroup, but our situation does not allow that because we do not control layers 1-3. Then again, I would rather have them all on the domain anyway for manageability.
Would it be better, then, to set these machines up on their own subdomain set aside specifically for this application? The application uses a different set of password standards and group permissions than best practices allow, so I'm not sure exactly how to set this up in light of GPO management.
It should be noted that many of the application workstations are older machines running XP Pro, which I cannot currently change (the OS comes with the application installs) and although there is an newer version out, apparently it's hella buggy and isn't working correctly, so we won't be starting up trying to use that until March-ish.