DirXML version 1.1a used Password Sync V1.0. Identity Manager 2.0x and Novell Identity Manager 3.0x use Password Sync v2.0.
When you move from DirXML to IDM 2 or 3, and you do an in-place upgrade of a Remote Loader server with the Password Sync service installed, the upgrade should remove the old one (v1.0) and replace it with the new one, (v2.0). They use separate files (NWPWDFLT.DLL for 1.0 and PWFilter.dll for 2.0) and separate Event Log Entries (PwdSync for 1.0 and Password Sync for 2.0).
The problem occurs if the install does not correctly de-register the 1.0 filter and leaves it behind. It is then listed first in the registered Password change API list, so it gets the password events and causes sync issues.
To fix this problem,
1. Open Regedit and look at HKLM\SYSTEM\CurrentControlSet\Control\Lsa for Key Notification Packages.
It should be multi-valued with several entries. You should see both NWPWDFLT and PwFilter in the list.
2. Edit the values of the key and remove the NWPWDFLT from the list.
3. Reboot so the changes take effect.
You will probably have trouble unregistering the DLL at first, so:
4. Rename the DLL.
6. Try to run “regsvr32 /u nwpwdflt.dll” to get rid of it entirely.
After this, you should be able to delete the old .DLL, in Windows\system32.
For reference, there are some good TIDs on how to remove v2.0:
However, these don’t help as much if you have 1.0 and 2.0 at the same time!
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.