The Jamf binary uses
dscl to reset passwords, and there's been quirks with that method since High Sierra introduced secureToken. I would create a policy that uses
sysadminctl to change the password. It force creates a new Keychain, as well.
sudo sysadminctl -adminUser AdminUserHere -adminPassword AdminPasswordHere -resetPasswordFor UserToBeResetHere -newPassword NewPasswordHere