A user cannot change their Active Directory account password from the client.
Step by Step
Start by setting Debug Events to "On" from the Mobility server console by going to Configure > Server Settings > Events > Debug. Then reproduce the problem so it appears in the event log. Create the log by going to System > Gather Support Data. Ensure the "Event Log" box is checked, and click Create Report.
Open the server log and look for "0xc0020017". The full debug line should look like this:
Security - Server - change password function for user example.user in domain NETVPN returns status = 0xc0020017.
This means that name resolution is failing to the domain "NETVPN".
Make an entry into the host file for the domain controller name found in the debug log. Test to see if the client can now change his password.
Long term fix:
Make sure that the DNS is properly configured for this domain name so that name resolution will not fail with any server or new Mobility server they build.