First: please be aware that this question is not that easy and that wild guesses are likely to be ignored. You should try any suggestion yourself prior to making it.
Setup: Domain Controller on 2008 R2 or (if you like) on 2012 R2 (maybe 2003, haven't tested)
Clients: does not matter, anything you have
1) users may change their Password interactively using CTRL-Alt-Del
2) domain administrators may change anyone's password using the shell command
net user someuser newpa$$word /domain
3) standard users get "access denied" trying 2)
**now for the interesting part, the reason why I am asking**
4) standard users that use passwd.exe (a freeware alternative command line password changer) may successfully change their password.
Why is that so? What does passwd.exe do that net.exe cannot? Has Microsoft crippled net.exe for some reason?
Why do I need this: Because we would like to use script-based self-invoked password changing with standard user accounts and hoped not to use 3rd party utilities for that.
Find passwd.exe attached, change .doc to .exe