We use IDM to provision new AD accounts and we set the pwdlastset
attribute value to "0" to prompt users to change their passwords after
first login. The problem is that the attribute get set to "0" and
disabled again afterwards. We have password synchronization enabled
between AD and IDM. I went through the logs to check what might be
causing this but to no avail .

bzanin's Profile: https://forums.netiq.com/member.php?userid=9162
View this thread: https://forums.netiq.com/showthread.php?t=53502