samba - Feb 2009 - Samba + Active Directory -> Deny Hosts

Hi All

I just got my RHEL5 hosts authenticating successfully from a Win2K3-R2
Active Directory server using the Samba / Winbind combination.  While the
host login capability works perfectly, we need the capability to deny
specific users and groups access to specific computers.

The generic Active Directory option of User->Properties->Account->Log
On
To works perfectly (i.e. I can specify my host, and it denies or allows
accordingly) however I would have to specify all of the machines that I
wish to allow access for an individual (which is not really feasible).

The Group Policy Object - Deny Log on Locally - I believe is not supported
for Linux (is this correct?)

Is there a way to get this functionality to easily work for groups (i.e.
GroupX is allowed to login to Host1, while GroupY is not?) on the Linux
end? Has anyone been successful?

Thanks again
--Tim F.