Mac Clients, RFC 2307, Active directory, FERPA, Security and more… OUCHIE

things are getting worse around here... in efforts to make the AD servers more "RFC 2307" unixie compliant, certain groups are becoming "privatized", meaning that if you aren't in the group you can't query it. (this makes the FERPA people happier) In my Golden Triangle environ... it breaks things.... a Client bound to both AD and OD, this machine (or suite of machines in a lab setting) has access limited to log in... For example, I have a Music Lab, and I would like to limit access to all students in Music_Classes and faculty in Music_Faculty. both of those groups exist in AD, on my OD server I create a group called Music_Lab_Access and give it two members, the groups from AD. HOWEVER - the _MACHINE_ is not in either group and difficulties ensue. So Far, the only way to patch this is to put the Macs into a "Pre-Windows 2000" group or somesuch on the AD side. this gives the machines access to read what the user can't and then authenticate them. What kinds of privacy issues are dealt with out there in your realms, and how do you overcome them? Rich