Here's an example using the Active Directory driver, although the same issue could occur for another driver.
Example: Suppose you want the Active Directory driver to provide the initial password for user when it creates a new user object in eDirectory to match a user in Active Directory. The sample configuration for the Active Directory driver sends the initial password as a separate operation than adding the user, and the sample configuration also includes a policy that provides a default password for a user if no password is provided by Active Directory. Because adding the user and setting the password are done separately, in this case a new user always receives the default password, even if only momentarily, and it is soon updated because the Active Directory driver sends the password immediately after adding the user. If the default password does not comply with the eDirectory Password Policy for the user, an error is displayed. For example, if a default password created using the user's surname is too short to comply with the Password Policy, you might see a -216 error saying the password is too short. However, the situation is soon rectified if the Active Directory driver then sends an initial password that does comply.
Regardless of the driver you are using, if you want a connected system that is creating user objects to provide the initial password, consider doing one of the following. These measures are especially important if the initial password does not come with the add event and instead comes in a subsequent event.
This option is preferable because we recommend that a default Password Policy exists in order to maintain a high level of security within the system.
or