We have a large number of accounts that are in a failed state for various hygiene reasons. We need to understand the password reset retry logic for these accounts.
Applies to any PAM release.
There is no built-in functionality in PAM to retry failed password update attempts.
If the accounts in question have a maximum password age defined in PAM per password composition policy assigned to the target application, and option "Automatically Update Expired Passwords" is checked on the Settings > Credential Manager > General Settings page, then the expired password processor, which runs every 12 hrs, will try to update the password again on every run. But that would just be based on the password being older than the configured maximum age, and not a retry of a failed attempt.
PAM allows you to configure scheduled jobs (Credentials > Manager Targets > Scheduled Jobs) to update accounts that currently are in a "Verification Failed" status, see screenshot below. This could be used to get accounts back in sync for which the last update attempt failed due to a temporary problem outside of PAM, such as a network problem or a server reboot.