There is this process in AD called the AdminSDHolder which protects accounts that are members of privileged groups. There is a template object in the System folder in AD, when the process runs (every 60 minutes) it looks at the security page on the template object and mirrors that on these protected users. By default the Account Operators groups is not in the security page of the template object and FIM AD account is a member of the Account Operators group. So I find the FIM account fails to make changes on Admin accounts and service accounts and other such accounts. There are about 150 of them but they keep coming up here and there. Here is the solution
Go to the template object and add the FIM AD account with full control. When the process runs, it will add the FIM AD account to all these protected objects. One should make this standard practice for all FIM AD deployments.
Another alternative is do not put the FIM AD account in a Domain privileged group like Account Operators rather use delegation and give the FIM AD account specific delegated rights to OUs.
I would recommend doing both.