we have windows 2003 domain controller through which users would authenticate using ldap queries. a user is created with option “user cannot change password”. but through ldap i could able to change the password of this user. i didn’t define any security policies.
What should be the expected behaviour for this scenario.