Managing Computer List’s Via AD

Hi everyone, At work my area is looking at how to best integrate Mac’s into existing IT infrastructure in order to keep support costs to a minimum. One of the solutions is to push out MCX settings to all Mac’s via Active Directory by applying the Mac Schema to our domain. We currently have a test domain with the Mac schema applied to it which meets most of our requirements but have come across a limitation in managing computer groups with workgroup manager. I’ve read and followed the instructions of “Workgroup Manager and Active Directory with Extended Schema Technical White Paper May 2009” to create ‘apple-computer-lists’ objects with ADSI edit which works as expected with computer-lists showing up in workgroup manager. (see below link for image) [url]https://lh4.googleusercontent.com/_gKLJ5PTcPxY/TV8IS0r1-KI/AAAAAAAAAA0/Inzg2SUM4pQ/image001.jpg[/url] The issue we have is that the object in active directory doesn’t show up as a normal security group if we create it with ADSI so we are unable to add new computer objects in the member’s tab, only workgroup manager is able to add computer objects to the group and update the ‘apple-computers’ sting in the schema when adding new computer objects to the computer list. As you can see from the below screenshot we don’t have a members tab like we normally would in a security group in AD to add computer objects too but we do see in the attribute editor the computers that have been added with workgroup manager show next to the apple-computers attribute as a value. [url]https://lh5.googleusercontent.com/_gKLJ5PTcPxY/TV8ITFIBLRI/AAAAAAAAAA4/8c2VQolUXkU/image002.jpg[/url] In a small environment manually adding computer objects to these groups via workgroup manager is feasible but this isn’t practical when applied to a large scale of computer objects. We currently have around 700 Mac’s we manage with the long term plan to support many more in the coming years. Currently with PC objects we have batch files (and in future windows powershell) scripts that automate new computer objects begin moved into security groups they should fall under as they come online, making managing policies across departments easier on a group level . Since the objects that ADSI creates are not normal security groups in AD is there a way we can automate or change the schema to make adding new computer objects to groups easier to manage in a large environment? The solution can be on the Mac side with workgroup manager or in windows (preferred) as it’s currently done on our domain. Keep in mind this only applies to security groups with computer objects. If we setup a security group in active directory and add user objects workgroup manager reads the group correctly and applies the settings as required to the members in that security group. We are happy to use workgroup manager to apply the MCX settings to each group but we are looking for a solution to automate how new computer objects and existing ones can be moved into the required security groups as manually moving them with workgroup manager isn’t practical with the amount of computer objects we have. Currently Mac's in our environment are not bound to anything and management isn't looking at replicating the AD directory in to OD since so many systems are already linked to AD and the magic triangle has it's own bucket of issues. So the ideal solution is to get the Mac's to play nice with AD as a means for us continue the justification of having Mac’s as an alternative platform in our environment. Any help is appreciated.