Magic Triangle and AD authentication with OD WGM

Hi All, We're using an OD WGM (10.5) and AD (win2k3). Users are in AD groups and those groups are in OD groups for User Group Management. I have found that since we are authenticating against the AD, Users that are not within OD groups are still able to login to the Macs and not receive WGM management. I understand why this could happen. My question is, how do I prevent it (or is my setup wrong)? I dont want to add every user into a wgm user group (as we have 1000s of users not using Mac and to much management) or add a top level OU, then every user will be in 2 or more groups (potential user error logging into wrong group). What would be good is to prevent users from login in to a Mac if they are not in an OD group. Any idea welcome. Thanx