IDM 3.5.1
Windows Server 2003
Active Directoy IDM Driver

Setting AD passwords on newly created accounts.

I was just wondering what will be "best-practices" for following

Scenario: New users creation from IDVault to AD.

The requirements:

The domain password policy in the AD domain require(s) a complex password
on the users. and I have the
following requirement(s);:

a) The new created user should be created as Diabled in AD
b) There should be set a random complex generated password for each new
c) THe account option(s) on the newly user created to be set (The user
should change password on next logon)..

to acheive this I'm doing following rules:

a) AD-Subscriber: Setting Login-Disabled = true
b) AD-Subscriber: Setting a random defulat password on the user
c) AD-Publisher : When i know the user is created successfully in the AD,
Im setting a complex password "one more time".
d) AD-Publisher : Setting account option(s), The user should change
password at next logon.

So... I was wondering, am I performing "set-password" options for too
many times??? (like once on the subscriber and again from the pubslisher??)

The clue of setting passwords on the newly created user on the "Publisher"
is to be sure 100% that user exist in the AD before I Set password..

Any good design guidelines would be appreciated!