we have problems using the "Excluded/Included Users Lists"-feature of DLU

This s what we are trying to do: Most of our ZCM-managed workstations should
allow all eDirectory accounts to login; so we have a DLU policy without any
"Login Restrictions" assigned to those devices. So far it works fine.

Now we have one lab where only a subset of accouts should be allowed to
login. We assigned a DLU policy with "Login Restrictions" to those devices.
We want to put "Users" (=ALL accounts) into the "Excluded Users List" and a
eDirectory group into the "Included Users List". But this does not work -
some accounts could login, some not - but without any correlation to the
eDirectory group.

So for testing we simplified the scenario: only one single account is in the
"Excluded Users List" - does not work, the account still can login. (DLU
creates a local account which did not exist before the test.)

My question: Is something wrong with how we try to do this? Should this work
or is there a flaw in the idea?

(ZCM 11 SP1, Windows 7 workstations with Novell Client and ZCM Agent, no
Windows Domain)