Problem

The AS400 (i5os) bidirectional driver supports bidirectional synchronization as the name suggests (IDM 3.01 and 3.5). There is a limitation to this, though. Almost all events can be trapped including password changes, but from the i5os side you cannot catch administrative password changes.

What that means is if a user changes their password on the AS400 the driver shim will catch it. But if an administrator resets a user password on the AS400 side, the shim will not see an event. This is obvious from the driver shim trace log, which will show all events happening, except the administrative password reset.

Solution

To the best of my knowledge, the solution is: don't do administrative password changes - not if you want them synced via IDM.

If you need to force a password reset on a user in AS400, you would have to initiate the change from outside the AS400 system, such as in the Identity Vault or another connected system. Since the driver is bidirectional, it will flow into the AS400 system.

It is only administrative passwords changes within the AS400 system that
cannot be trapped and dealt with.