When IM submits a Change My Password task the dxPwdLoginTime operational attribute on the user in the IM UserStore is cleared.

Release:
Component: IDSVA

If the CA Directory DSA being used for the IM UserStore is configured with password policy enabled then the dxPwdLoginTime attribute will be updated to capture the login time of a user. If CA Directory receives a request to change one's own password the dxPwdLoginTime attribute will not be cleared, but if CA Directory receives a request to change the password of a user that is not submitting the request then the dxPwdLoginTime attribute value will be cleared. Since IM uses a proxy ID configured in the UserDir XML to perform all updates, CA Directory needs to have password-proxy-user set to that user in order for password changes from IM to not clear the dxPwdLoginTime attribute.

Please review the following CA Directory documentation link which mentions password-proxy-user setting:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/administrating/manage-user-accounts-and-passwords/use-password-settings-to-administer-user-accounts.html