. 

Sometimes it is necessary to import target accounts into PAM which do not have the default password view policy and instead have one which requires a change password on view action.

<Please see attached file for image>

If we try this for a target account with the highlighted policy, import seems to work fine, but then accessing the imported account and trying to verify or save it we get the following

<Please see attached file for image>

So "PAM-CM-0816 The specified password view policy has "change password on view" enabled, but the account is unsynchronized"

Why is this so and how can it be solved ?

CA PAM all versions

This is due to how the password view and verification flow works: when we try to verify or save a password after the import, if the password view policy chosen has the "Change Password on View" policy enabled it will access the password we have stored in the database and it will see it has never been verified.

Because of this, it cannot know if it is the right password. If it were not the right password, the next time we access the password for this account we would have the wrong one and it would not be possible to verify or change it. 

That is why unless the account is verified you cannot save or verify the password with the "Change password on view" setting active.

To successfully import these accounts, first assign to them the default password view policy, which does not have "Change password on view" setting active and subsequently save their passwords locally to the Password Authority server and then to the Target server. That will allow you to save the password and make sure it is verified.

After doing so, you can change back their Password view Policy  to your custom policy and all will work correctly.