Developing a Password Sync Plugin for Active Directory

I've spent some time prototyping Microsoft's Identity Lifecycle Manager a year ago. They've move things around since then, so this may not be accurate of the current state of the product. At the same time I did spend time working with Novell IDM.

ILM had some marked differences from IDM.

• Significantly more connectors out of the box. Unlike Novell IDM, you're not going to pay extra to get things like your Oracle and MS-SQL connectors. If you're at all cost-conscious, this is a biggie. In our environment the cost difference was $100K versus $15K.
• New-object replication requires custom code At least as of my review of the product, the "New Object" event requires linking to a compiled DLL that actually handles the object-create process in the remote environment. Presumably compiled in VisualStudio, this contains the functions required to actually set up a new object and related environment in a remote identity domain. On the one hand, this gives you complete control of the setup process, which is something that Novell IDM isn't that great about. On the other hand, you need to be able to create C#/VB programs in Visual Studio.
• Not nearly as well defined transform stages IDM was very good about creating a visual environment that described the various stages of object transformation between two environments. ILM doesn't have this. IDM is intuitive. ILM requires a good deal of reading. What's more, to get fancy in the intermediary transform stages in ILM requires a compiled DLL, where in IDM it's handled in large part through the DirXML script Novell has evolved since 1999.
• Poor design tools There is no equivalent to the Identity Manager Designer.

Novell IDM really is the top tier of identity management solutions. It has been on the market for the longest and has had a chance to really solidify its feature set and mind-share. Even though it cost w-a-y more than ILM, you really do get what you pay for. In the end, in our environment the cost of ILM versus IDM would have been a wash due to the additional man-hours required to get an ILM-based environment up and running.

In the end we decided that the cheapest way was to continue rolling our own. We already had a home-built system in place, and the cost projections were not that much different than an IDM/ILM implementation project would have been. Inertia won.

Edit:

I see from your comments that you aren't doing the "poor man's trust relationship" with local accounts, but rather are pre-caching credentials on the client computers before shipping them off-site.

With that in mind, you still really, really want a site-to-site VPN solution, rather than running VPN clients on each client computer. That will make the question you're asking be a moot point. Your client computers won't "know" that there's a VPN present, and things like domain logons and group policy, as well as password changes will "just work".

My eyes are nearly bleeding even thinking about having to deal with no site-to-site VPN and cached credentials on client computers in such an environment.