I have been running the Active Directory driver for about a year, but
only with the Subscriber channel synchronization.

We now wish to enable Password Synchronization from Active Directory
back to the Identity Vault. I am having a tough time.

I have changed the password policy to Microsoft.

I have installed the Password Sync Filter on our single domain controller.

I have changed the Password Synchronization settings on the Active
Directory driver to allow synchronization both ways.

The Driver Filter is where I am getting stuck. I changed the User object
Publish from ignore to synchronize, and change all my attributes except
nspmDistributionPassword to ignore. I changed nspmDistributionPassword
to Notify of both Publish and Subscriber. Is that correct?

The issue I am writing about is when I restarted the driver I started
getting TONS of events related to deleted objects.

DirXML Log Event -------------------
Driver: \TCORP-VAULT\tcorp\driverset\Active Directory
Channel: Publisher
Status: Warning
Message: Code(-8019) Operation vetoed on unassociated object.

I had to turn the driver off and back out all my changes. I was getting
hundreds of these.

Can someone explain what I have done wrong, and the proper way for me to
change a Subscriber only Active Directory driver to start doing
Password-only synchronization both directions?