To change the password on an account, you have to have the SeChangeNotifyName (bypass traverse checking privilege) in addition to the right to change the password. If the tool is changing the password over the network, the account you use to execute the tool must also have the right to log on from the network on the target machine or domain controller. By default, all users have these rights and permissions in Windows 2000 and higher. Because you must know the old password to change the password, this is not a security breach. If you have the old password, you obviously have the right to change the password.
If you do not have the old password, the tool will perform a password reset. In this case, you need the same rights, but you also need permission to reset a password. By default, only administrators and the user whose password you are trying to reset have these rights.
If you specify the identifier 500 for the account name, you must have the right to perform SID/ Name translation on the target. By default, all users have this right in Windows 2000. In Windows XP and higher, all authenticated users can perform this operation.