The test Mac is on our Active Directory (AD) domain and can access all Windows resources. The only trouble is with our POWER7. From what I've found, I think the DES encryption is the problem. We have four special user accounts in AD for SSO that were created using an IBM script when we first set up EIM. Those users are set to use DES (probably because in '08 IBM required it). By default, Win7 doesn't have DES enabled, which is why I have to modify the Local Security Policy. From what I've read, Mac doesn't have DES enabled by default either. In order to enable it, you're supposed to modify the /etc/krb5.conf file, which my Mac doesn't have.
From here, I see that I have two options.
1. Remove the DES requirement
2. Write a /etc/krb5.conf file and see if I can get Mac to use DES
I have the PTF's you listed, so I'm going to start with #1. If I get that to work, EIM/SSO should be plug-n-play for new machines. One less thing I have to do on every new PC would be a good thing.