When Identity Manager users are assigned their first provisioning role, it changes their disabledstate value from 0 to 16777216. This forces the users to change their password on next login. We do not want our users to have forced password changes.

Is this behavior preventable? 

All Identity Manager

What is happening is that when the initial provisioning role is assigned to an IM User it will trigger the creation of the Provisioning Global User at that time. If the Provisioning Global User is created without a password then the disabledstate will get set to the 16777216 value to force a password reset so that the Provisioning Global User will then get a password.

One possible cause would be if the initial provisioning role was assigned to a new IM User during a Create User but where no password was set during the Create User task so no password would be set on the Provisioning Global User creation.

Another possible cause would be if the initial provisioning role was assigned to an existing IM User during a Modify User task since IM would not be able to retrieve the current password of the IM User to set it on the Provisioning Global User in this case.

The only way to prevent this behavior is to make sure that the IM user password is being set within the same task that is assigning the initial provisioning role as this will send the user's password down to the global user account and will not force a password change. 

The following KB Article may be helpful in using PX Policy (has to be of type=UI) to set a password:

https://knowledge.broadcom.com/external/article/12996