I guess we should do a step back on the various kind of user accounts.
It may make the problem clearer to you.
Local User Account - is a user account you set up on a single client machine. The user can only log to the machine this UA was created on. A local user account does NOT have any network access credential in an Active Directory environment.
Domain User Account - is a user account you can use in a Windows NT/2000 Domain Environment. This user account is set up on the domain controller(s). The user can log on to any network client authorized by domain controllers (means you have to add the machine to the domain prior to use domain accounts on them) with the same userID and password and have different settings (desktop wallpaper, start menu, default dialup connection...) for each client machine he logs on.
Roaming User Profile - As we said before this is a particular Domain UA. Works the same way as any domain user account, but the user will always have the same settings regardless the network client he logs on to. At each logon the client machine will download user profile and settings from the server and upload back any changes at each logoff.
Mandatory User Account - This is a slightly different Roaming UA. The only difference from a Roaming UA is that the user can't change any setting of the profile. He can do whatever he wants during each session (delete desktop icons, change screensaver, create new network connections...), but the server will ignore any changes and after each logoff the domain controller will restore the profile state back as the initial administrative setup.
Guest Account - The guest account have the lowest privileges both locally and on the network. Basically he can't do mostly anything unless explicitly granted by administrators. The Guest Account has no login password and is disabled by default for security reasons.
Please note! A Domain UA does not need correspondance of a local UA on each client machine.
Suppose you have a user named John in a domain named *MyDomain*.
A local UA would store the user profile files in the folder: *C:\Documents and Settings\John* .
A domain UA would store those files in the folder: *C:\Documents and Settings\John.MyDomain*. This means you can use both a local *John* profile and a domain *john* profile on the same machine, but they will always be two distinct *john* with different SIDs (Security ID) even if they have the same password. Logically only the domain UA will receive network authorizations and Active Directory policies (local *john* would always have network access denied). Each *john* login will be treated separately and read information from its corresponding *documents and settings* folder in case you use that login in the domain or locally.
If you have a local and a domain *john* UA using the same password, this would most likely cause security problems in reading Active Directory permissions from domain controllers. So I advice you to avoid setting up local UA with a username equal to any domain UA.
Once again, if you have a *john* domain UA and you want him to log on any network client then the only thing you need is a proper domain UA, you don't need a corresponding local UA... means no further configuration on the client, just login to the domain from the client... AD will do the rest.
This was to say that you will never find the import utility you were looking for because of these fundamental reasons:
1. Active Directory security principals are based on the fact that the domain accounting policies reside ONLY on doamin controllers.
2. Such an utility would be useless because any domain machine is able to read all accounts from domain controllers.
3. Duplicating UA from domain to local would be an unuseful administrative overhead. Active Directory gives you the powerful benefit of having a single administration point for accounting management.
4. There is no AD database on the laptop clients. Clients are only able to read AD from domain controllers SYSVOL share (the only place where AD database resides).
Now the specific case.
If you manage the school network as a domain environment and need to grant the same limited access to each of the students then the best thing to do is to set up a Mandatory User Profile named *Student*, a single one for all students. As said before a mandatory UA will prevent students from changing any of the settings (including the login password) you define initially and the domain authentication will save you from setting up 350 different local UAs on any classroom client machine. Then use NTFS permission and eventually Group Policy Objects to further restrict the students' use of the network/domain/computer.
If you need help on assigning a mandatory User Profile, check
http://support.microsoft.com/default.aspx?scid=kb;en-us;q323368
Sorry if I talked that long but I was not sure you knew precisely what I was talking about.
Good luck!