We should be able to accomplish this by engaging the PAM service and having it execute this task. Not a script or PAM IDM driver. Also, need to develop a method for re-sync’ing the password if the Windows servers was restored from a backup.
This is understood and aligns with comments I made in another Idea post. Historically the belief of managing credentials for credentials in the vault was to enable an integration between PAM and IDM so that IDM would have this responsibility. However, the ability to manage credential passwords in the vault has matured to a "PAM" product requirement, i.e. table stakes requirement. Also, IDM is a VERY big beast to deploy for a need that is trivial in comparison to overall IDM use cases. As part of the PAM 1H CY '18 release we are supporting the discovery and management of Service Accounts. This means the ability to manage the passwords for Service Account and update them appropriately based on policy. Therefore what will be needed to address this Idea will be at least in part introduced in the next PAM release. Then it will be extending that capability appropriately to address this use case and ultimately enabling PAM to manage passwords for credentials stored within the credential vault based on Policy.