MCX and nested groups

We have played with this fairly extensively and found it simply does not work the way Apple hoped it would (regarding MCX) and it is basically only good for file/folder permissions. Groups do not inherit preferences (although I'm told this WILL be working soon).

I had my friendly local Apple Service Engineer with me at the time and he suggested an interesting workaround (one that I hadn't thought of): You can use the computer level preferences (the third tab with the two boxes) to create an "uber" group of base permissions leaving you with much less work to create the groups. Before we did this we had to essentially duplicate each user groups list of allowed applications. Now we have a "base" list of allowed apps listed for the Guest computers (which is just about all the computers on the network) and we only need to specify a few "specialty" apps in each of the user groups (we are using a whitelist approach, obviously).

I did not realize the prefs would be additive like that, but they are, AND you can add some more prefs per user without conflict.

One last comment, you can specify access if you are managing prefs at the computer level. For example, we have a "Teacher" computer level group because we don't want any app restrictions for the staff (we are a HS). You can specify the teacher user group are the only ones who can log in to the teacher computer group, just in case a student grabs a teacher machine and tries to log in. Not huge security, but a nice little extra from MCX!