By default using UserPassword method (either through a simple ldif file or something like java) is disabled in Active Directory.
Why Enable UserPassword in Microsoft Active Directory#As with the unicodePwd attribute is as a LDAP Modify Request operation:
- Password Change - is a Delete Modification-type (oldPassword value) followed by an Add Modification-type (newPassword value)
- Password Reset - LDAP Modify Request operation containing a single Replace Modification-type (newPassword value).
However, the special encoding required for updating the unicodePwd attribute is not used with the userPassword attribute; The password values for UserPassword are sent to the server as UTF-8 strings, but; surrounding quotation marks are not used. Which make things more consistent with other LDAP Server Implementations
Enable UserPassword in Microsoft Active Directory Process #In order to enable the UserPassword method you must change the dsHeuristics  attribute using ADSI edit and set the fuserPassword  method to true.
fUserPwdSupport#fUserPwdSupport value is used to determine the behavior of the UserPassword attribute within Microsoft Active Directory or AD LDS.
- If this character is neither "0" nor "2", then the fUserPwdSupport heuristic is TRUE. (Below, we use "1")
- If this character is "2", then the fUserPwdSupport heuristic is FALSE.
- If this character is "0", then the fUserPwdSupport heuristic is FALSE for Microsoft Active Directory and TRUE for AD LDS.
Right Click ADSI Edit #Right Click ADSI Edit and choose Connect to (note that this is not necessary if adsi was used previously and the connection is already there)
Select Configuration #Choose Select a well known Naming Context of Configuration and Select Default (Domain or server that you are logged into). And click ok
Expand Configuration #Expand Configuration down to Configuration/CN=Configuration,DC=XXX,DC=xxx/CN=Services/CN=Windows NT/CN=Directory Service
Choose Properties #Right Click Directory Service and choose Properties
Scroll to dsHeuristics #Scroll to dsHeuristics and double click it: You need to modify the 9th position and enter a 1. If there was no value in dsHeuristics then enter 000000001 and click ok.
Click Ok #Click Ok to get back to the main editor.
Update Schema Now #Then on the top level Configuration server.domain.org item right click and choose update Schema Now.
Finally #At this point you can connect using SSL and use an LDIF to change the users password
More Information #There might be more information for this subject on one of the following:
- Active Directory and Passwords
- Example - Active Directory Change Password JNDI
- Passwords Using LDIF
- Set Active Directory Password From Java
- Setting and Changing Microsoft Active Directory Passwords