I am stuck. We want to change our password policy, but it will be more
restrictive than the seed passwords we generate on new people. The seed
passwords cannot change(i wont go into that).

So what I have done is change the password policy that is on the partition
and inherited by users to be more restrictive as instructed. I then created
a less restrictive password policy and have assigned that password policy in
the create rule on each edir driver. That works---seed passwords will go
through because the new user is getting the explicit policy.

What I am having problems with though is figuring out once the new user is
created how to delete the less restrictive policy---basically i need to
delete the nspmpasswordpolicydn attribute on both drivers which i create in
the create rules so that the user now inherits the stronger policy. Any
hints or suggestions?