After creating a Global User and provisioned it to have correlated Windows NT account at the Access Control Endpoint, updating the Global User's password using Provisioning Manager always turns on "User must change password at next login" option at the NT Account, regardless of the settings of Account Template.
If we update the Corporate user's password via Identity Manager User Console's Reset User Password task then this problem doesn't occur
Release : IM 14.3, 14.4 and PIM 12.81 on Windows 2016
When we compare how the Windows NT Account is updated, between using IM User Console and Provisioning Manager, the difference is eTSelfChange attribute. Using IM User Console, Provisioning sends eTSelfChange=1 update while using Provisioning Manager the account update process is lacking this attribute update.
Provisioning Manager is working by design, because we login as 'etaadmin' Administrator User to update the Global User's password. As the password is not updated by the Global User itself, Provisioning doesn't send eTSelfChange=1.
To workaround this problem, customers can use IM User Console or run the following etautil command on the Provisioning Server machine.
etautil -d im -u etaadmin -p <etaadmin's password> update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta' eTGlobalUser eTGlobalUserName=<global user name> to eTSyncAccounts=1 eTSelfChange=1 eTPassword=<new password>
Notes:
Replace <etaadmin's password> with etaadmin's password
Replace <global user name> with the Global User name
Replace <new password> with the new password to update