I'm still testing DSfW, and I'm trying to create some user objects in an OU either inside or outside of the default Users container. (because you can't apply GPOs to containers, only OUs).
When I create a user anywhere other than the Users container, that user can't log into the domain. It does look like the user gets provisioned for DSfW correctly, though. It gets put in the domain users group, gets a SAMAccountName attrib, etc. It doesn't, however get a UP policy assigned to it, not even the Domain Password Policy that is assigned to the domain partition. Even if I create the user at the domain partition root where the policy is directly applied, it doesn't get assigned (according to iManager).
It does get the partition policy if I create the user inside the Users container, though.

I'm using a name mapped dsfw config, and have an ou/partition named "domain" in my tree that's my domain root. iManager shows the Domain Password Policy associated here. I don't have a UP applied to the "Login Policy.Security" object.

DSfW shouldn't break the standard UP implementation, should it?

Can anyone offer any insights?