You can enable "Enforce machine auth" on 1x auth profile.
- default machine role = role machine (specific acl or logon)
- default user role = role user (specifi acl or logon)
and on AAA, 1x default role = Company user role (full access);
and then combine it with ServerGroup-Server Rule, to put specific group to specific user role.
This can be applied if all client are domain machine, for non-domain machine, it won't be authenticated at all.
--Yopi--