Situation: In an identity Managed environment, where passwords are synched
back and forth from AD to an IDVault, and then on to another EDIR Tree, a
number of users inexplicably had their password expiration set to Jan 1,
1992.

To the best of my knowledge, none of these users changed their password, or
had it changed administratively. A password change is the only reason
(other than directly setting it) that a password expiration date changes,
right?

The only correlating activity is that in the downstream/"spoke" Edirectory
tree (not the IDVault "hub") someone changed the Universal Password Policy
to increase the minimum required characters from 5 to 8. The UP Policy is
NOT set to verify password compliance at authentication.
This "should" be a transparent change, right?

So if changing the minimum characters "should" be transparent and definitely
not affect the expiration date, what scenarios could possibly cause the
dates to reset?
Could a change made by a driver be perceived as an admin change? I am
synching nspmDistributionPassword between systems, and using Distribution
Password, which I believe avoids that scenario.

Thanks,

Rob