Mac WGM settings not taking/Windows GPO's overriding
I'm hoping someone here has some idea of what I'm about to waffle on about.
Have just integrated a mac suite into the windows domain.
Details as best I can remember:
-Mac Server: Lion 10.7.3 (Mac Mini), running in magic triangle setup (OD master, kerberos disabled, AD authentication, DNS running)
-Windows: Server 2k3 and 2k8r2, both running at 2k3 domain functional (and forest) level, with the relevant AD upgrade file applied (I forget what it's called, but it's a thingy file that upgrades AD schema to accept Win7/2k8 boxes on a 2k3 domain).
-GPO's applied to OU's containing all users, seperate policy for students/teachers, along with a default domain policy.
-MacbookPro's with lion 10.7.3
Followed standard guides for setting up magic triangle, used Deploystudio to create netboot and netinstall clients, then hopped the clients on and set the names accordingly.
WGM settings are not taking effect correctly
-User WGM settings are only applied to users with no AD GPO's in effect, or users with domain admin access.
-Machine WGM settings are only applied to machines if user has admin access (local or domain)
I moved the machines to a dedicated OU and blocked policy inheritance, didn't have any affect on settings.
I created a new user and only made it a member of Domain Users group, and put that user into folder with blocked policy inheritance. This user correctly applied WGM user settings.
I tried adding users with Augmented records into OD, no effect.
Now it looks to me like AD is forcing the GPO's and ignoring all WGM settings, but I can't for the life of me work out how to get round this.
It's not GPO settings overriding specific options, it's ignoring ALL WGM settings if a GPO is in effect for a non-admin user, but does seem to apply for users with admin priviledges.
Anyone know what I've done wrong? What am I missing? I'd rather not create all my users with no GPO's applied! And I don't want to have different logins just for the macs.
Any help much appreciated.