My current environment is five OES2 SP1 servers supporting 150 users configured in eDirectory ZCM 10.2 sources the users from eDirectory, and is used to apply Dynamic Local User policies(DLU), and Windows Group Policies (WGP), and provide patch management.

The purpose of this thread is to explore the implications to DLU and WGP policies of introducing DSfW.

We use DLU because end-users move between workstations and like the convenience of an administrator not having to create local accounts manually.
1. Based on 10071725: DLU in a domain environment. do you agree with my decision to obsolete DLU policies for users moved to DSfW?
2. The Windows group policy...User Rights Assignment> 'Deny logon locally' should be enabled to allow roaming users access to workstations via their DSfW/eDirectory credentials, skipping the requirement of having a local machine account. Do you agree?

3. Since the end-user devices will have to be registered in the DSfW domain, I think it makes sense to transition WGPs out of ZCM and in to DSfW. What do you think?

4. Will I need an MMC license to manage the WGPs in DSfW, or does iManager have a "MMC plugin"?

Thank you in anticipation of your feedback...