I have read in the past that DLU policies are singular in nature and not
additive. I am wondering if this is still the case and if there are any
workarounds for this available third party or otherwise. I am in need of
a solution for my current environment:

-ZenWorks 6.5.2 with HP4 applied. (Upgrade Rights to 7.0.1)
-NetWare 6.5.2 with post sp2 hotfixes applied.
-eDirectory 8.7.3.2
-One Tree eDirectory Design
-No Active Directory domains
-Windows XP SP2 Workstations and Laptops

I work at in an educational community with school faculty, students and
support staff. We would like to change the way users log in dependent on
the machine AND user. For instance we would like a DLU policy for
faculty that allows them to login as an non-volatile administrator and
restrict it to just a container full of imported laptops. We would also
like the same faculty user to log in as a volatile limited user account
and restrict this to just public machines such as labs. Currently as it
stands now this is impossible because the first DLU policy that a user
hits is the only one that will apply to that user.

To illustrate this, lets say all faculty are in one OU and those who
have laptops are part of a group in this same OU. This group has a DLU
policy associated to it to allow them to login as an non-volatile
administrator with login restrictions to a container full of imported
laptops. The OU has a DLU policy associated to it that allows the
faculty to log into machines as a volatile limited user account with
login restrictions to a container full of lab desktops. When a faculty
user logs in with this setup in a lab they get prompted for a windows
login. The reason is the search policy for this OU is configured to
resolve policies in order of Object, Group and Container. Despite the
fact that the login in the Group associated user policy for laptops has
login restrictions to just the laptop container, the DLU policy process
stops here and does not proceed to the container level. This is our
problem.

I know that DLU is not supported in an AD environment and it is really
not something we would like to do anyway. If anyone has any additional
information on how to solve this problem I would greatly appreciate it
because personally I am very disappointed with ZenWorks.

Joe