You can also force refresh the MCX settings if you hold down the option key when logging in with an admin account (I think it's the option key!) which might be enough to kick things over. Also you can run the command line option: mcxquery (as the currently logged in user) to see what exactly is being done permissions wise by what user/group/computer/etc in WGM.
They don't have access to terminal currently so I'll have to see how else I can do that.
Edit: Scratch that, looks like they do have permission for terminal. (I should probably change that)
Ok I found the issue. Looks like the person before me had permissions set for both the usergroup AND the computer group for applications. So when I turned off the usergroup permissions it then defaulted to the computer group. Not sure why she set both of them. Applications should only be controlled by the usergroup correct?
Correct. System settings such as login window banners, time server, software update, etc. should be set for computer groups. Settings such as of course app restrictions, dock, system preference panes should be in the user group realm. Some can cross over as well such as printing which in a lab setting can be set on the computer level and in other instances at the user group level.
Originally Posted by Stryker412
If you set your users login shell to none instead of /bin/bash it wouldn't matter much if terminal.app was still allowed through your mcx app restrictions. They can open the app but the prompt to run commands won't display.