I have configured IDM so that when a user account is created in a specific OU in AD, it syncs to the ID vault. (This is needed for certain 'non-human' accounts). The process mostly works, but I can't get "force user to change password at first logon" to work. I tried copying the existing rule for this functionality from the subscriber channel, but one condition for that rule is "if-op-attr 'nspmDistributionPassword' available = TRUE" and it always returns false.

A level three trace is at https://pastebin.com/GNwKGTDu.

Any suggestions are welcome.