We have the Identity Manager suite connected to Active Directory (currently the "master"). We have noticed that the password agent sitting on the domain controllers does not differentiate between a "password reset" (completed by an "admin" on behalf of someone) and a "password change" (completed by a user for themselves). Is there a setting that will allow the password agent to differentiate between these? One of our password rules that we enforce for password changes has to do with password history (can't use the same password for x number of password changes). However, we don't enforce that for a password reset since as admins will typically use a common password when they reset someone's password and enforce a password change on first login.
No, there is no way the password agent can distinguish whether a user is an admin or other user. The agent is just a windows password filter that passes along the request.