When a user is moved into a DSfW domain and the associated password policy of the moved user does not fall under the domain boundary, the generation of the DSfW-specific authentication keys of the moved user might fail unless the associated password policy is in the security container. This is because the DSfW server (NCP server object) does not have permissions on the associated password policy object of the moved user, if the password policy object is not present either in the security container or the domain boundary.
You must ensure that all the DSfW servers (domain controllers) of a DSfW domain are granted read rights on the associated password policy. On the other hand, if the associated password policy of the moved user is located in the security container, the generation of DSfW-specific authentication keys is seamless as every server in the eDirectory Tree has preassigned rights on the security container.
It is recommended to have the password policies in the security container which allows moving users into the DSfW domain to work seamlessly. Alternatively, if the associated password policy is not under security container, you must grant Read and Compare permissions for on the password policy object for all the NCP server objects of the domain controllers of a DSfW domain.