On our Macs we use the AD/OD authentication triangle which is working fine. I use an XServe to dish out preferences to users and the Macs themselves.

One thing I can't get my head around though is the Access Control Lists on the computer groups themselves. I set it to Deny various groups (i.e Year 7,8 etc) and Allow Sixth Form groups (Admins,year 13 etc) and removed the Network Users generic group - basically to only allow staff,admins and sixth form to login.

This doesn't work, but only for the Year 13 group. Admins can login OK but not those particular students even though their year group has a specific Allow. Each student is a member of their Year group and an overall 'All students' group but I'm only using the Year groups for the settings.

This isn't what I would expect it to do, I know that Deny takes precedence over Allow, but their are no Denys that apply to this group? Very odd, or I'm not understanding how this works?