We have started to roll out a Universal Password Policy to our users. We are running SLES 11 SP4 / OES 2015 SP1 with the client on the WS being "Client for Open Enterprise Server 2 SP4 (IR6)".

IN general everything is going good with users getting prompted to change their password to meet the complexity requirements in the policy and being asked to answer the challenge/response questions and supply a password hint. But we have one user (so far) who doesn't seem to be getting the policy, although they are assigned to the password policy in iManager. Also in iManager if I go to 'View Policy Assignments' and put in the user, it shows the correct Password Policy as being assigned to her.

Nevertheless, when the user logs in, they are not prompted for challenge/response questions, asked for a password hint or asked to change their password to meet the password policy requirements. Also, if at the WS I right click on the OES Client icon in the system tray and choose "User Administration of xxx tree", then Challenge/Response administration, I get the dialog "Cannot administer Challenge/Response because the current user does not have a password policy"!

We have a simple eDir tree with 3 servers in the replica ring. I ran ndsrepair on all 3 servers checking time sync, replica sync, external references and stuck obits and everything is coming up clean.

What could be the problem?