I have an existing AD environment that Im going to deploy Macs into. I am going to supplement AD with some basic OD stuff, mainly for the automation of auto-mounting network volumes and mapping network printers for users when they log in to the AD domain. Our AD infrastructure is pretty robust. Our OD domain is new, and not deployed into production yet. AD is used for authentication and authorization, OD will be mainly used for MCX management. My OD server is running Leopard server 10.5.1. The AD DC servers are running Windows 2003.

I have 2 core types of AD groups that My Mac users need to be in:

1) Groups for printers (i.e.; each user is in a group based on the location of nearby printers. Example: If you are on the 4th floor of Building 2 then you get the printers near you. No-brainer. This is already set up in AD. This OD groups has no policies except for printers. I dont want to manually configure printers each time a new Mac is deployed.

2) Groups for network mounts. (i.e.; each user belongs to a department, and thus will get that departments’ common shared volume mounted at login, along with a couple company-wide public volumes too). No-brainer. This groups has no managed policies except for network volume login items. I dont want to manually setup my users network shares for them.

OK. So I set up the OD groups listed above – 1 set of OD groups for printers and set of OD groups for network shares. I basically just created OD groups and dropped the related AD groups into them. Why reinvent the wheel, right? The AD groups already existed for the PC users, so I just created similar named OD groups and added the corresponding AD group into it. Seems to work fine.

I added a test user to the proper groups (Example: “Joe User” works in the Account Dept, which is in Building 1, 1st floor). Therefore “Joe User” belongs to a printer group configured with his printers near the first floor of building 1, and he gets the Accounting group membership which means he gets the Accounting (SMB) network volume mounted at login. Simple right? Nope….

My problem:

Because “Joe User” is in 2 OD groups, when he logs into the Mac (which is bound to AD and OD) he is prompted to choose which OD group he wants to log in as(!). I don’t understand why he cant be in both groups. The 2 groups don’t have any conflicting properties, and thus Im confused that “Joe User” cant get the printers mapped from the printer group and get the network volumes mounted via the network mount group.

My Windows based PC users have the exact same type of login policies in AD. 1 group for printers and 1 group for network volume mapping. I assumed OD would behave in a similar fashion.

Is there a way to blend multiple groups or combine them without a lot of manual labor?