One of the cooler engagements I've done lately has been work around Centrify's DirectControl product.

From Centrify's Website:

Centrify enables a secure, connected computing environment by seamlessly integrating your non-Microsoft systems, web applications, databases and ERP apps, and storage systems with Microsoft Active Directory.

In other words, DirectControl allows Unix systems to act and behave like Windows Clients, and leverage the native Kerberos authentication and LDAP authorization from AD.  The product also leverages Group Policies to manage the systems as well.

One of the unique features found in this product that is not found in the Quest/Vintela or Centeris is that Centrify introduces a concept called zones.  These zones allow for logon isolation, and allow you to have multiple Unix identity information for each Unix/Linux system.  What this really means is that you can start using DirectControl without having to normalize the UID space right away, and can work on that over time.