More Managed Unit fun... I figured out that ARS was not syncing Access Template Link-granted permissions to native Active Directory for items in a Managed Unit the ATL was created on.
Here's what I've found so far:
A VBScript to sync Managed Unit permissions to AD for 6.0 and 6.1: http://communities.quest.com/docs/DOC-10232
Reference in the release notes for 6.8:
TF00179166
Fixed: ActiveRoles may not propagate permission and policy settings to the members of the Managed Unit as expected when you apply an Access Template or Policy Object to that Managed Unit.
Is there any sort of fix/workaround for ARS 6.7? The only thing I can think to do is make a bunch of ATLs with PS, which isn't too horrible, since the MU currently in question contains about 300 OUs, but I'd rather find something that won't generate a ton of ATLs if I need native AD permissions on an MU with lots of objects.
My workaround (all one line), most suitable for a Managed Unit with less than a few hundred immediate child items:
Get-QADObject -Type organizationalUnit -SearchRoot "Configuration/Managed Units/OurMUs/All Users OUs" -SearchScope OneLevel | foreach {
New-QARSAccessTemplateLink -AccessTemplate "OurAwesomeTemplate" -DirectoryObject $_.DN -Trustee OurDomain\theAwesomeAccount -SynchronizedToAD $true -Name "OurAwesomeTemplate-theAwesomeAccount-$($_.CanonicalName)"
}