just to follow up on the Domain Acct that is both Managed and UnManaged:
1) you could then setup a Target group to include the Domain Acct that is managed and all the duplicate Domain accts for each end-node that is not Managed
2) setup up a scheduled job that rotates the group at a specific time, but uses the same password for all Accts
this way when ever you update the local accounts the Domain Account that you used is always uptodate!
still not the best way but an alternative