We are having an issue where more and more people are unable to change
their password without it being reset beforehand.

Running DSFW on 3 oes11 servers, fully patched. I found a script that
scours our tree, checking user accounts for password expirations &
emailing them if it's X days from expiring.

Users that receive this email go through <ctrl><alt><del>, and take the
option to change their password. They go through the steps to change
their password, and it does not get changed.

If we go through iManager and reset their universal password, then they
are allowed to change their password.

Any ideas?