If you create users in Active Directory with passwords that violate the Directory Server password policy, those users will be created and synchronized in Directory Server, but the entries will be created without a password. The password will not be set until the new user logs in to Directory Server, which triggers on-demand password synchronization. At this time the login will fail because the password violates the Directory Server password policy.
To recover from this situation, do one of the following:
Force users to change their password the next time they log in to Active Directory.
Change the user password in Active Directory, making sure that the new password meets Directory Server password policy requirements.