limit console login to AD connected Xserve

This topic https://www.afp548.com/forum/viewtopic.php?forum=24&showtopic=9889 is one of the best I can find on the Internet on this subject, but it doesn't answer the question, which is: I have AD+Kerberos working on my 10.6 Snow Leopard Unlimited Server Xserve, how do I use AD credentials for services (e.g. web logins, mail, etc.) without allowing unauthorized accounts to log in on my console? The Xserve behaves like a default configuration on a Windows desktop, i.e. ANYONE in the domain can walk up to the console and log in with their AD credentials. Now, in windows, I know how to fix that, I remove domain users from the local users group and I'm done. Now I have to put a smaller group or individual users into local users to let the desired persons log in. However, I don't see how to do that on a Mac, or whether its possible. Let's use a concrete example or two. 1) In the domain CLOWNS, there is one user Bozo. I want to let Bozo log into this Xserve on the console. However, I want to keep all the other clowns off the console. I don't want to make Bozo an admin, just give him access rights, while restricting the rest of the clowns. Possible? 2) Also in the domain CLOWNS, there is a group called KeystoneCops. I want to let the members of Keystone Cops get a console login, but everyone else, not so much. They can pick up their mail, authenticate to the webserver, post their blog, but not have a home directory and a console login. Can this be done & how? Hope I've been clear, thanks so much!