That's where third-party tools come in. Two packages provide mapping services from GPO to MP: Thursby's ADmitMac and Centrify's DirectControl. Both have client-side components that replace Apple's Active Directory plug-in, and both supplant Apple's SMB file sharing with their own enhanced equivalents. DirectControl has a more straightforward mapping of GPO to MP, and it stores that mapping within AD itself, while ADmitMac keeps mappings in a non-ActiveDirectory file server. However, only ADmitMac's file sharing includes full support for Windows DFS, which is a key requirement in many enterprise environments. Thursby also offers DFS support in its lightweight Dave file-sharing utility.
GPO propagation is just one aspect of Windows-centric administration. Others include asset tracking, patch management, and OS image generation and deployment. Neither ADmitMac nor DirectControl address these, but other third-party products do. JAMF offers two client management suites: Casper and Recon. Casper performs hardware and software enumeration and tracking -- including software license and data encryption management -- as well as staged imaging and secure remote control. It sports a customer service portal for user self-administration, in addition to a centralized admin console with an iPhone interface. Recon is a stripped-down version of Casper, with just the asset tracking, centralized console, and iPhone components.
Avocent's LANDesk is another Windows-oriented management tool with Mac capabilities, focusing on asset tracking and OS deployment. LANDesk uses Mac OS X Server to spin out OS deployment images via Netboot or HTTP, and it can even deploy Windows OS images to Mac-hosted virtual machines. This capability is central to any platform-agnostic desktop strategy where application, rather than device, management is the goal. LANDesk lets you distribute standardized OS images pre-configured for centrally hosted applications, à la Citrix.
Symantec is a less-known player in the Mac desktop asset tracking/deployment niche with its Altiris Client Management Suite, which hasn't seen significant Mac enhancement since 2007. The Altiris Inventory Solution for Mac performs hardware and software discovery and asset tracking, while its Deployment Solution performs OS imaging via Mac OS X Server in the same way LANDesk does. Its Management Agent for Mac provides remote script scheduling, software update management, and limited policy enforcement.
Managing Macs using native tools may be a better approach
For enterprises that don't feel the need for Windows-based management, Apple's native Mac OS X management tools offer nearly an equivalent level of control that can still integrate with Windows Active Directory authentication infrastructure. In this management model, you use Mac OS X's built in Active Directory plug-in for domain authentication and SMB support for file and printer sharing, but depend on Mac OS X's Open Directory and Managed Preferences (MP) architectures for policy enforcement. You run one or more instances of Mac OS X Server, which provides MP controls in its Workgroup Manager interface. You must manually synchronize user groups between ActiveDirectory and Open Directory, but then ActiveDirectory user accounts automatically populate their corresponding Open Directory groups.
Alternatively you can configure the Open Directory server as an ActiveDirectory "stub," which eliminates the group synchronization chore but limits your MP choices to those that have a corresponding ActiveDirectory policy.