From old PS we imported Global users, Provisioning Roles, Account Templates, Prov role-Account template inclusions, endpoint definitions, endpoint-account template inclusion.
After that we made an explore-correlate in all endpoints to get actual accounts.
We got the issue. The accounts were not linked to their account templates.
The explore & correlate process recreated the account into the provisioning store with the "Global User/Account" inclusions.
There is no Account/Template inclusion but a multi valued Account eTPolicyDN attribute which stores the template names.
And the E&C did not set the Account eTPolicyDN attribute.
Here is the design showing which links are inclusions and which ones are managed by attributes.
(Global User) --- [eTRoleDN] ---> (Role) --- [Inclusion] ---> (Template) --- [inclusion] ---> (Endpoint)
(Global User) --- [inclusion] ---> (Account) --- [eTPolicyDN] ---> (Template)
Solution was either to re-synchronize the Global users with their roles and so the account eTPolicyDN is set for the associated accounts or to import the eTPolicyDN values into the CA Directory.