Stephen suggested we add the ability to lock out (force reset) password for all users on KDC as a requirement. [Action George]
Graham suggested that using a central KDC may mean we have less access to data (such as logs) to make security decisions, add to report. [Action George]