Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
Following up on a previous post about Credential Roaming (aka DIMS): http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx
With a recent DCR to Windows 7 & W2k8 R2 (http://support.microsoft.com/kb/2520487) it is now possible to filter out specific types of credentials from the credentials that will roam to your AD database.
Post-hotfix default behaviour is to not roam unaffiliated keys, unused keys and smartcard certificates.
The caveats here are:
*this fix has been ported to W2k8/Vista since this post was written.
AD DS database size increases significantly when the Credential Roaming feature is enabled in Windows 7 or in Windows Server 2008 R2http://support.microsoft.com/kb/2520487