The Active Directory (AD) password policy is set to lock a user account after 3 consecutive wrong password attempts.  In other words on the 4th wrong password attempt, the account is locked in AD (not disabled).   

However, when actioned via CA Identity Manager the account is disabled (disabled flag set to 1).  The provisioning store shows the account eTIMEnabledState attribute value set to 0, but after performing a modify user action with some value to sync data to AD, the provisioning store, user eTIMEnabledState value is synced to 1 and the user is disabled in AD (userAccountControl=514)

Example steps to reproduce (In this scenario there is no password policy set IM):

1. Configure Active Directory Authentication Module
2. Configure AD Password Policy to lock account after 3 password attempts
3. Create a test user
4. Successfully lock out user via IDM UI by entering in the wrong password 3 times

Results:

• IDM corporate user store user is disabled (imEnabledState = 1)
• IMPS Global user is enabled.
• AD user is locked but enabled.

Programmatic issue.

Release : 14.1 CP9

Component : IdentityMinder(Identity Manager)

CA Identity Manager has supplied a test-fix (DE441255_TF_VAPP.zip) to address this issue.

HF-DE445661-20200206-0001.tgz.gpg" as the final GA (General availability) hotfix and we will go ahead and close this case.
 

DE441255_TF_VAPP.zip is available on request.

While the Test fix has been shown to address the issue, but there are some supplementary issues regarding the synchronization error messages between IM and IP. 
"HF-DE445661-20200206-0001.tgz.gpg" has been released to address this supplementary issue.