This is just for you information on how I solved part of the problem.
I do use sort of a group policy here.
My [netlogon] section looks like this.
[netlogon]
path=/.../netlogondirs/%G
comment=net logon services
write list = admin
force group=office
create mask = 0644
directory mask = 0755
guest ok = no
locking = no
When a user logs on %G will be it's primary group name.
For every group I create a netlogon directory in
/.../netlogondirs/
So I can create a config.pol for every group instead of for every
user in this way. Every use in my office is part of it's primary group
and the office group.
Ries