Similar things have come up in the past, but usually in the form of
wanting to synchronize the expiration time, including expiring the
password, even when IDM synchronize the password in such a way that the
admin-set password in this tree looks like a user-set password in that
tree. Basically what I remember suggesting at the time was coming up with
some logic that basically states, "If the password changed, and if eh
expiration time is something less than a day in the future (meaning it is
probably set to the present or near-past), then send the password over.
When an admin sets the password the password should be expired (meaning an
expiration time of now()) so you can key off of that using a little xpath
or something to compare values. No need for your adminReset attribute, in
that case.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...