SSPR v4.5.0.4 b85 r69f7e436 is the version we are on and it does not enforce the AD Complexity of "Not contain the user's account name or parts of the user's full name that exceed two consecutive characters".
For a person with first name of John, then sspr would reject password of JohnWilly!23 but would not reject JoWil!23....then when the SSPR accepted password syncs to AD it gets rejected because it hits that violation of two consecutive characters from name.
DirXML Log Event -------------------
Driver: AD
Channel: Subscriber
Object: User
Status: Error
Message: <message>Password set failed.</message>
<ldap-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">
<client-err ldap-rc="53" ldap-rc-name="LDAP_UNWILLING_TO_PERFORM">Unwilling To Perform</client-err>
<server-err>0000052D: SvcErr: DSID-031A124C, problem 5003 (WILL_NOT_PERFORM), data 0
</server-err>
<server-err-ex win32-rc="1325"/>
</ldap-err>