3.1.1.8.5 clearTextPassword
If the pwdProperties attribute value on the account domain object contains the DOMAIN_PASSWORD_NO_CLEAR_CHANGE bit, the server MUST abort the request and return an error status.
If either the RID of the objectSid attribute is DOMAIN_USER_RID_KRBTGT or the msDS-KrbTgtLinkBl attribute is present and refers to a read-only domain controller (RODC) object, and the requesting protocol is a change-password protocol, the server MUST abort the request and return error status.
If either the RID of the objectSid attribute is DOMAIN_USER_RID_KRBTGT or the msDS-KrbTgtLinkBl attribute is present and refers to an RODC object, and the requesting protocol is a set-password protocol, the value of clearTextPassword MUST be replaced with a randomly generated value that satisfies all the criteria in section 3.1.1.7.2.
The constraints in section 3.1.1.7.2 MUST be satisfied.
The unicodePwd attribute MUST be updated with the NT hash of new value.
The dBCSPwd attribute MUST be updated with the LM hash of new value.
On a DC configuration, the supplementalCredentials attribute MUST be updated with the cleartext value (see section 3.1.1.8.11 for processing details on how supplementalCredentials is updated).