On the firewall an administrative-user is either an 'admin' (full access) or an 'adminro' (read-only access) and this cannot be changed based on the reply from the LDAP server (or from any other authentication server).
Thanks for the response!
FYI, you should note this for the Stonesoft transition..... in the Public space (government) there is a requirement to have least privilege implemented. I dont know how McAfee got past DOD compliance without having this, but it will get flagged at some point.
Thanks for your time.