I have a question for you, if you are.

What happens when a password is set via ADUC, reset password on a user
by Admin, and it does not meet complexity per SpecOps?

We see an event in the event log, saying it failed.

But should IDM get the password change?

We find that AD did NOT change, but IDM picked it up and synced it
everywhere else.

Do Password Filters on AD apply in sequence? Or in parellel. I.e.
Should we ensure pwfilter.dll loads after the SecOps/SpecOps one?

Also I had heard that there were two ways to have it store Unique
password history. One is an attribute of the object. Second is as
objects UNDER the User (make them a container, a lot of AD apps do
this). It means the delete code needs to change of course. Since
simply deleting a non-leaf node throws an LDAP error.

But the guy I am working with cannot find reference to this setting.