NW6.5SP8/ eDir 8.8.5

In our single universal password policy, the "Do not expire the user's
password when the administrator sets the password" filed is set to "false",
but the system does not require a user to change their password when they
log in..

I've found few items in the forums with regard to this.
One had the the following note:
"What we noticed now is that if you wait a few minutes before you try the
initial authentication to the workstation the expiration is there. It's only
if you attempt to try the
account immediately that there is a problem.
So the workaround is really to tell the help desk to tell the customer to
wait five minutes and then log in. But if the user does manage to log in and
does not get prompted it
seems that they never will be prompted."

Another pointed to the password expiration time attribute.
I took this to mean the password lifetime settings and changed the "Number
of days before password can be changed to "0"

I've tried these unsuccessfully, both with the initial setup of a new users,
going back in and changing the user's Universal Password and going back in
and changing their eDir password under the user profile's NMAS tab.

SDIDiag results show all servers with good configurations.

I've gone to the extent of setting up a new testbed server, in its own tree,
and have gotten the same results.
I've tried to install all of the modules that iManager lists as available.
There are three modules that will list as installed, but always show up in
the list of available modules:

iFolder Module
Novell Identity Manager - Secret Store Administration Plug-ins
ZENworks 7.0 Server Management 7.0.1

Here is the output from an "LK" command in SDIDIAG on the test server:
S>>>>>SDIDIAG Begin: Wed May 23 13:22:46 2012

SDIDIAG> lk -v >> SYS:diag.txt
Displaying keys in domain W0, object .W0.KAP.Security.UHCC.
Displaying keys on .TEST.main.UHCC.
Server : .TEST.main.UHCC.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 56 51 65 0D D6 40 89 AF 64 25 CF BF 02 FD 93 88
Validity : Sun May 22 01:17:53 2012 - Sun Feb 3 23:59:00 2036

The production servers also show a 168 bit key.

Where would be the best place to start looking?