IDM sync error 9006

We recently encountered sync errors for our AD driver set in IDM, when checking password status all users have a sync error 9006

Subscriber status log as well has the following message outputted for many users

<status event-id="pwd-subscribe" level="error" type="driver-general">Could not set password via platform call. Err=2245 (password invalid)<operation-data>
<password-subscribe-status>
<association>6ba5f61706e78342b87209529cda5903</association>
</password-subscribe-status>
</operation-data>
<application>DirXML</application>
<module>Active Directory</module>
<object-dn>\NYM\nym\MTA-Users\CPhilip</object-dn>
<component>Subscriber</component>
</status>

I'd greatly like to get feed back on possible root causes as I don't have very much reference or experience with troubleshooting Identity Manager.
  • From the other thread:

    The error means that the password you tried to send to
    microsoft active directory (MAD) is not one that it (MAD) will accept,
    probably because you have complexity rules there which are rejecting the
    password. Having mismatched password policies in the vault and an
    application is a recipe for this kind of problem so check there first, or
    else check with your MAD administrators for why the passwords sent were
    invalid (assuming they know how to tell from their logs).

    I think you have tried disabling complexity in MAD so NEW password changes
    should now go through where before they could not. Since you are new it
    may be worth pointing out that Identity Manager (IDM) is event-driven, so
    the passwords will not continue retrying indefinitely after an error is
    returned from the application, meaning the passwords will not suddenly
    become synchronized without some action causing a password change to go
    through. Try setting a password on one of these users and see if it will
    go through now.

    Perhaps even better, try setting a similar password on the user directly
    in MAD before you try via IDM. If you can set a password like
    'sillypassword' directly via MAD's own tools, preferably as the user
    rather than as an admin, then you know your complexity rules are disabled.
    If not, then IDM cannot override those rules and you either need to fix
    those rules or change the password policy within the Identity Vault
    (eDirectory) so that harder-to-remember passwords are required here as
    well as there. That goes against best practices, but it is also what
    microsoft and others have pushed for decades.

    https://xkcd.com/936/

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.