There are a few race conditions that DDOS the pw change, it can also happen on other apps.
and I am sure I have seen an issue where the AD crosses a time zone… that is to say, the time comparison & setting my have an exploit related to TZ, if i remember correctly… unless it got fixed…
I think it relates to users & doing a forced lockout or account deactivation,( maybe related to the user has to change the PW on initial log account setup.)
the other thing that needs sorting out, it that UCS and samba requirements are NOT synced… as per pw requirements , length etc…