I remember seeing something like this a few years ago.

We turned off the server, and there were some settings that we had to remove on ADSI.

In the OS X Leopard to Mt. Lion days, we used AD more for Managed Preferences, but Apple has been removing that functionality since Mavericks.

We've removed all the Managed Preferences from AD, but three always get created automatically when we create a new user:
- Mobility
- Login
- Dock

I then have to click the "Never" radio button on the last two because I won't want them interfering with Config Profiles or plists that we're setting up as defaults at the computer. The most annoying one is the "Login" because it automounts the network home share (but not the user's actual network home folder).

I'm not sure if I should also just hit the "Never" button in the mobility since those same settings get created when we bind the computer to AD anyway. I can't remember if there were any adverse effects from doing that.

I just don't want them to get switched on in the first place, so I'm trying to find a way to do that but not affect other AD services at the client computer in the process.

It's been a while, but I believe user level managed preferences you set in Workgroup Manager will override all other managed preferences, which is why disabling the preferences per person is working. Have you verified you don't have a group in Workgroup Manager with this setting enabled?

Similarly, if you open System Information on your Mac workstation and choose Managed Client, do you see the preference there? If so, you've got a locally cached preference setting you'll need to clear out.

@talkingmoose The only group that every new user we create belongs to at first is "Domain Users." I just checked WM on the Lion computer I'm running it on, and that group has no managed preferences set.

After we create the users, we attach them to security groups for server access, and mail distribution groups. I just went through all of our active security and distribution groups on WM, and none of them have any managed preferences set.

I just checked System Info > Managed Client on three bound computers as you suggested, and it says "No information found."

So, I don't know why these three get switched on by default for any new user we create. It may be an AD thing as @jonnydford suggested.

The settings you are talking about are on the computer, not on AD.

Thats just normal. They should not interfere with config profiles or anything else

The Mobile and Login are because you set those preferences in the AD plugin.

Not sure about the dock, i think you are getting false information from WGM

Use dscl to view the users record to see all the attributes. Or I also like to use apache directory studio
ldapsearch also works if you want to view the attributes for ad object from a machine that isn't bound to AD

Just to add, these machines are only bound to AD right? No open directory server?

You are not running the golden triangle right?

Active directory schema has not been extended for MCX settings?

@calumhunter We have the third option. I thought about that over the weekend that this may be the cause.

We did this about 4 yrs ago so we wouldn't have to set up a "golden triangle." I don't know if there's a way to undo those extensions from AD on Windows Server 2008.

However, we'll be moving our AD to Windows Server 2012, and we may be able to exclude those extensions when we migrate.

You could probably have your AD admin do up a powershell script to clear out those attributes in AD, i think that would be easier than trying to migrate an AD and exclude certain attributes, but i'm no AD admin.

The Managed Client section in system profiler under software can also tell you where some MCX settings are coming from ... i don't have anything i can put MCX on to show you but heres where it is in sys profiler