windows only environment ... passthrough authentication for zen agent?

with a complex AD container installation (ie 5,000 or more users in
lot's of different containers 3 or 4 levels deep --- how do we configure
the zen65 agent such that it can login to the mid-tier via passthrough?

IE -- we do not want our users to have to enter a context. The
prevailing theory at this point is that we will configure IDM starter
pack to mirror the AD container configuration (that way they can use
containers as a management tool).

But if users are found in several containers, how does contextless login
work for the agent?

Anyone have a clue stick for me?