In Identity Manger 3.5.1, under who's authority is a password changed when using universal password. Also, who is the perpetrator?
If you sync using the universal password the password is set using the admin's authority which is why it is expired unless the password policy had the "Do not expire the user's password when the administrator sets the password" check box selected. In this case, the audit record will show that the perpetrator is the administrator.
You can check for these settings on the Global Config values Tab of the properties of the driver. Publish passwords to NDS password set to true will sync to the Universal Password. What really happens behind the scenes is that we send the command to set the old NDS password and NMAS intercepts the call and sets the Universal Password instead.
If both the Publish passwords to NDS password and Publish passwords to Distribution Password are set to true, then you will see two password changes in trace with the admin setting the Universal Password second. This will result in the password being expired.