Disabling or enabling UAC on a host requires a reboot. This can make troubleshooting more difficult. GP.Pismere turned off UAC since 2007 to work around this problem. Some containers have it turned back on though.
We have a workaround that seems to work in ms2mit, but it can cause a Leah kinit popup the first time the new code is run when the registry key isn't already set to "MSLSA:". WIN domain logon scripts (which run ms2mit) seem like they can run concurrently with Leash startup, for unclear reasons.