I've been using Apple Active Directory plug-in for Directory Services to "bind" a Mac to an Active Directory (AD) computer account ever since 10.3 came out. It has worked like a charm! Users with an AD user account (in a specified AD group) could log onto a Mac that they never had visited before, and would have a local account created for them with administrative rights on the Mac. They could connect to network file shares without authenticating for each connection.
But now, after the latest 003 security update, trying to bind a Mac to an AD computer account stopped working. It gave me an error at the last stage of the bind saying that the user account didn't have sufficient privileges (referring to the AD user account I supplied) to joint the Mac to the AD computer account. So, I called up a network administrator to help me troubleshoot it, and here is what we found out.
When you create the computer account in AD, just like always, it inherits the permissions of the organizational unit (OU) it was created in. The admin group I am a member of has full permissions on this OU, so the group was added to the computer account with full permissions.
Before the Apple Security Update 2005-003:
The Apple AD plug-in would be fine with this, and realize that the AD user account supplied during the bind was in an AD group that had sufficient permission to join the Mac to the AD computer account.
After the Apple Security Update 2005-003:
The Apple AD plug-in will not check to see if the AD user account supplied during the bind is a member of an AD group with sufficient permissions to join a Mac to the AD computer account.
The Fix:
The way we were able to get around this was to give my AD user account full permissions for the AD computer account that I was trying to bind the Mac to.
Mac OS X Hints
http://hints.macworld.com/article.php?story=2005032402440087