or alternatively just do it as a script that runs from an admin workstation. A for loop that runs thorugh a netdom list of the domain members and then does an xcacls command on them.

do it a couple of times and then add the permissions check in the logon script to write the computername to a file and then run the perms script against that list.

Better to use the GPO method but if you cant then this is a way more secure process.

HTH