You may have noticed that if the check box "user cannot change password" is selected natively (ADUC), but then removed in Active Roles (MMC), Active Roles is stripping the user's permissions to change their own password (SELF - Change Password).
Meaning, the user in question is no longer able to change their passwords, even though no restrictions are set in the object’s properties.
This is a product defect (TF00706707).
This Product Defect (TF00706707) has been fixed in the latest 7.0.4 hotfix release, you can get more information from:
Active Roles 7.0.4 Public Hotfix (multiple fixes) (231327)