A lot of folks have hit this apparently, so I wanted to share my findings and how to fix it.
If a non-admin user logs in to the Sample Control Panel that comes with the HMC 3.5 Consolidated Server Deployment Guide (MPSSampleCP), they cannot change their password. The error received is:
An error encountered while processing object 'LDAP://ad01.fabrikam.com/CNemail@example.com,OU=alpineskihouse,
OU=consolidatedmessenger,OU=Hosting,DC=fabrikam,DC=com'./Access is denied./UserSetPassword
The first clue is in the error message itself. It tells us that the error happened in UserSetPassword. It may not be immediately obvious, but UserSetPassword is NOT what we should be executing here!
First, some background. There are 2 different ways to change a user's password. The first is what any user should be able to do: change their own password. This is similar to changing your password in Windows. You're prompted for your old password, then your new password (twice, just to make sure). This is accomplished in the provisioning world via the ChangeUserPassword method in the Managed Active Directory namespace.
The second method is an administrator-only method: resetting a user's password. This is similar to right-clicking a user in Active Directory Users and Computers and choosing "Reset Password..." You're not prompted for the old password, since in most cases you shouldn't know it. This is accomplished via the SetUserPassword method in the Managed Active Directory namespace.
So that text in the error kind of tips us off that we're not doing the right thing here. Another clue is the UI that's presented to us in the Control Panel. The title of the page is "Reset Password," and we're only asked for the new password, not the old! A TraceView trace confirms it: we're calling the SetUserPassword method, not the ChangeUserPassword method! Since the user is not an administrator, they're not allowed to reset passwords.
Fixing it is fairly simple, assuming that you're somewhat familiar with Visual Studio. The whole password UI/logic in the Sample Control Panel is contained within a DLL called CorePlugins.dll. You'll find this DLL in %Program Files%\Microsoft Hosting\Provisioning\Samples\MPSSampleCP\bin. We need to rebuild this DLL using Visual Studio.NET 2003.
You'll find the source code for this DLL in %Program Files%\Microsoft Hosting\Provisioning\Samples\MPSSampleCP\CorePlugins. In that directory you should see a solution file called CorePlugins.sln. (If you don't, it's OK...look for CorePlugins.csproj instead). Open this with Visual Studio.
Now all you need to do is rebuild. No code changes are needed. Just make sure that you're doing a Release build. Go to the Build menu and select Configuration Manager. For Active Solution Configuration, choose Release and click OK. Then on the Build menu, choose Rebuild CorePlugins. This will rebuild the DLL. If it all works, the Output window should show this:
---------------------- Done ----------------------
Rebuild All: 1 succeeded, 0 failed, 0 skipped
From the CorePlugins directory, go to the .\bin\Release directory and you should see your new CorePlugins.dll. Rename the one in %Program Files%\Microsoft Hosting\Provisioning\Samples\MPSSampleCP\bin and drop this new one in.
You should now see that if a non-admin users logs in to the Sample Control Panel and chooses the Change Password option, that the page title is now "Change Password," and that you have 3 input boxes: one for the old password, 2 for the new. Best of all, when the user submits the request, it should work 😉
Special thanks to dfrauzel for independently verifying this! I agree with his theory that most likely what happened was a last minute code change to the sample happened, and the binaries weren't rebuilt for the installer package.