Been there previously, done rule changes etc, yet this still does happen on
some user

User created in eDir, Universal Password active, user has one grace login
allowed & must change password

This user does not show any restrictions in AD yet in eDir I get the above,
which gives all sort of strange problems

Any idea what is setting it & why?

It does NOT happen on ALL the users