To ease the side affect of this issue, the amount of grace logins can be configured to 6 or 9 so the end user will technically still have 3 grace logins before the user is locked out.
Neither ZEN nor client32 has any control over the grace login fields. The Grace logins are a function of eDirectory.The reason two grace logins are taken on every login when the ZCM agent is present is because the ZCM agent connections are separate from the nwclient connections. Nwclient will login using an NCP connection but ZCM will login using an LDAP connection. Both logins will consume a grace login as they are completely separate individual connections. When eDir is presented with user credentials for the purpose of a login, eDir first checks if the password is expired. If it is expired, eDir will only grant the connection if there are remaining grace logins left. But then if it does grant the connection, it will decrement the remaining grace logins allowed.
For other TIDs relating to login issues, see TID 3273870 - Troubleshooting ZCM login problems