Limiting which Active Directory users can login

[kayote]

Computer running OS X 10.4.11, authenticates via MS Active Directory.

I only want users in certain AD groups to be able to use the machine.

I know how to limit logins with Group Policy on Windows XP boxes, but there is preference to the newest limited-access being OS X. I haven't been able to figure out how to do it.

If needed, I can hard code an AD user list (rather than an AD group), but I'd prefer to use groups for consistency with other machines & simpler upkeep.

All I've come up with is a LoginHook that checks usernames & promptly logs off if the usernames doesn't match a given list. That's really clunky & hacked together (and resulting in support calls from people who don't realize they aren't supposed to be able to login). I'm hoping for a cleaner solution.