In the AD driver documentation https://www.netiq.com/documentation/identity-manager-48-drivers/pdfdoc/ad/ad.pdf on p 28 there is a list of all the attributes used to set the UAC.

To explain a bit more, UserAccounTControl in AD, is a bitmask attribute. IDM breaks those bits out to individual fake attributes you can send into the shim to set.  So you could set an integer like 512.  But what you want is to set bit 6 or something, then there is a list of pseudo attributes the shim knows represent specific bits, in the mask.   Like disabled is bit 1 I think and is represented by DirXML-uacDisable or something like that, Specifics a the link above.

depending on the AD schema version , some of these may also be outside the UAC and is an user rights permission, then it's PSEXEC and the powershell service, ran into this with later versions of AD 

Oh really?  I missed that joy.

 I need to review my notes from 3 yrs ago, but yeah , it's either no password, or password never expires or both is now outside the UAC , the only alternative was sending it thru the psexec path