We're moving our users from simple password to Universal password because we are are sychronizing user data and passwords to AD using Novell IDM. users need active Universal password to get passwords synced to AD. However the universal password is not activated before the user changes passwords.
Some quotes from Identity manager 3.01 admin guide 5.4.1
After you roll out the Novell Client, the next time users log in by using the Novell Client, it captures the NDS password before it is hashed, and uses it to populate the Universal Password.
But then a little lower at 5.4.3
The latest version of the Novell Client supports Universal Password, can populate Universal Password for a user when you first enable Universal Password for that user, and can display and enforce NMAS password policies when users are changing passwords.
Tests show that NMAS password policy is not synchronized to AD before he has changed his password.
Is there a way to enforce NMAS password policy without user changing their passwords?

Any ideas welcome.