Using Active Directory Groups



I have a 10.4.2 server configured as an Open Directory Master. It also has the Active Directory plug-in configured to connect to my Windows 2003 Native-Mode domain. I have both the Mac server and Mac clients configured to use the AD search path first, then the LDAP (Open Directory) search path next in the Directory Access utility. The clients are currently on 10.3.8, but I intend to move them to 10.4.2 when I get the 10.0 edition of Norton Antivirus.

My intention is to use the OS X server to manage user settings (such as application use limitations). I can successfully add individual users from the AD to a managed group in the OD and impose these limits. However, I can only seem to get these limits imposed by adding each individual user to this managed group. If I just add an AD group (such as domain\users), these limitations are not applied.

Is there a way to impose limitations on an AD group so I don't have to keep adding individual AD users to the managed group? I have not made any extensions or changes to the AD schema, and unfortunately, have no experience in doing so.