Organisational Views are basically no different to containers in something like AD. Apply something to the top folder and all subfolders get whatever you have applied. Apply something to the deepest subfolder and then only stuff in that specific folder gets what you apply to that folder.
We use this for our software deployment policies. Our Organisational group is setup in a way so we can affect only specific parts of our business as we are spread over 22 sites with different departments over multiple sites and roaming users across all E.g. our departments like marketing and technical can be on several sites but we apply policies usually at department level but we have some special policies which are site specific by department so we set it up as below:
Company - TOP Organisational Group
-> Workstations
---> Marketing
----->Marketing-Site1
----->Marketing-Site2
----->Marketing-Site3
---> Technical
----->Technical-Site1
----->Technical-Site3
-> Laptops
--->Sales
----->Sales-Site2
----->Sales-Site4
We can then use an automation policy that adds the machines to each container and they automatically get the polcies or specific stuff we apply on those containers instead of using filters and applying them that way. In policies its easy for us as we can just apply it to groups in the filters you create there.
It doesn't matter for us at that point where the users are because the site servers will pick them up on whatever subnet they are on and apply the policies that effect that specific device set based on the filters we create in the policy or Jobs / Tasks. If i apply a policy at Laptops it will effect all machines in all those below subfolders regardless of department and site.
Personally from what you are describing i would seperate the devices out like ours in respect of Laptops Workstations but your top level folders would be Labaratory, work and whatever else needs to be segregated off. That way you can have policies that ensure if they are in the labaratory OU they will be forced to compliance.
if i wanted to apply something to a specific OU adhoc by a job or task i would literally just go to the job / task and press new schedule > i would drop down the Add box and select Target > In the Add target Window click Add Rule > Then select 'Exclude resources not in' from the drop down > Select Group from the next drop down > Then select the OU you want to apply this to.
In respect of reporting i'm pretty sure you can do reporting on OU though i havent tried personally due to our environment we report a environment level and then filter from there usually.
I'm currently using the software portal to distribute software we would define as specials and using AD Groups and specific user permissions to allow the request of software. We haven't found any issues with it so far. just ensure the AD Sync is setup and it should start working fine. I dont personally like having to manually get involved after having to do it for too many years without a fully automated managemnet solution its lovely to just tell the user to click on the shortcut and click on the software you want.
You have to find what
As above you would have two folders under a top folder so that if you apply a policy to the top level it applys to everything in the sub folders
>Corporate Benchtops - TOP Folder
--->Corporate Benchtops Regulated - Subfolder of Corp Benchtops
--->Corporate Benchtops Non Regulated - Subfolder of Corp Benchtops
Though i dont use automation policies to migrate my desktops due to the way my desktop team work we do use it for our servers
Heres what i use:
SELECT
[vri1_Computer].[Guid] AS [_ResourceGuid]
FROM
[vRM_Computer_Item] AS [vri1_Computer]
INNER JOIN [Inv_AeX_AC_Identification] AS [dca2_AeX AC Identification]
ON ([vri1_Computer].[Guid] = [dca2_AeX AC Identification].[_ResourceGuid])
INNER JOIN [vComputerResource] AS [ajs3_vComputerResource]
ON ([vri1_Computer].[Guid] = [ajs3_vComputerResource].[Guid])
LEFT OUTER JOIN [Inv_AeX_AC_TCPIP] AS [dca3_AeX AC TCPIP]
ON ([vri1_Computer].[Guid] = [dca3_AeX AC TCPIP].[_ResourceGuid])
WHERE
(
(
([ajs3_vComputerResource].[IsManaged] = 1)
AND
([dca2_AeX AC Identification].[OS Name] LIKE N'%Windows Server%')
AND
([dca2_AeX AC Identification].[OS Name] LIKE N'%20%')
AND
([dca3_AeX AC TCPIP].[IP Address] LIKE N'10.90.%')
)
)
then i run an assign server to organisational group task to move those that fall in to that filter and we have a few of these for our datacenters / servers.
I know people who still are working purely on filters because of the way they worked on 6 but i was fresh with 7 and this seems to work across the board for us.
I hope this helps, if you have any questions feel free to give me a shout.