I have just setup Magic Triangle on our network. I am testing this on a new user setup whereby I am logging into the domain with their account information from the AD. On our OD I have set it so the user does not have access to System Pref > Sharing and when I login I can see that that option is grayed out for this user. So as far as I can tell, everything seems to be working as expected.
One question though, is there a way to allow the user to install Application on their Mac? We are a small company with an even smaller IT department and I don't have time to approve every install. Is there a happy medium between locking the user out of some things but allowing them to install / remove software?