I implemented Universal Passwords with two password policies: one allows users to change passwords and one that doesn't (for certain "special" accounts).

Accounts given the first policy create fine in AD; accounts given the policy that does not allow password changes do not create. However, for the latter case, if I use a management tool to change the password, the account is created in AD.

I'm guessing that, by not allowing the user account to change passwords, the nspmDistributionPassword attribute does not get set, so the rule that requires that attribute blocks account creation, but I don't have the expertise to know if I'm right. Does that sound like the likely explanation or might there be another cause?