When setting up a DLU policy to "manage existing user account", I noticed
that it will not only assign the user to the local groups specified in the
policy but will also remove the user from all other groups. In our case, we
do not want the removal to happen. Any way of using the "manage existing"
option so that it does the specified group assignments and password syncs
but does not remove the user from other local groups?

Not using the "manage existing" option does have the desired affect BUT with
the ugly side effect that when the user's eDirectory password changes, they
get prompted to enter their old password for the local account (with the
option to sync them).

We want to have the DLU policy put all of the DLU created accounts into the
"Power Users" group but we want the ability to have certain accounts on
certain machines have "Administrator" rights. We can easily add these users
to their local Administrator group but the DLU comes along and removes them.
We do not want these people to become administator level on all machines so
a DLU policy to add them to the administrator group is not desirable

Any better ideas on how to pull this off other than not using "manage
existing account" due to the password sync thing? Unfortunately, we can get
what we want by using AD but I've been hoping to avoid it.

Tony Wyland
Messiah College