A common scenario is to manage Active Directory passwords with CA Identity Manager.
Account disabled after 3 successive incorrect passwords or Password expires if not changed
However, this does not appear to work. IDM (CA Identity Manager) appears to be in a disabled state based on the IDM password policy but it is not reflecting in Active Directory.
This is working as designed.
Release : 14.3 CP1
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
The Password Services tasks in IM are "audited" tasks and not an executed task. This means that changes will only happen against the IDM user. This prevents an already logged in user from locking out all their endpoint accounts.
Example: A worker is logged into their physical machine at work and tries to perform actions within IDM when they attempt to log in with 3 failed attempts and are locked out of IDM. If IDM did the sync the same individual would be locked out of all their endpoints including their physical machine (Active Directory).
To overcome these difficulties, it is recommended that the password policies for IM and Active Directory (AD) are synch'd and that daily E&C (Explore and Correlate) tasks are executed to keep IM in sync with AD (AD acting as the authoritative source). We also recommend the use of the PSA (Password Sync Agent) .