If you are creating an AD account, how about trying to remove the “password” attribute in an after provisioning rule from the plan. Or in any application that you are setting a password in, there is a bug where it tries to update password history and commits the wrong identity object.