"On Windows Server 2003 operating system and later, the DC also permits modification of the unicodePwd attribute on a connection protected by 128-bit (or better) Simple Authentication and Security Layer (SASL)-layer encryption instead of SSL/TLS." Ref: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6e803168-f140-4d23-b2d3-c3a8ab5917d2
I think special to this attribute the document says:
"For the password change operation to succeed, the server enforces the requirement that the user or inetOrgPerson object whose password is being changed MUST possess the "User-Change-Password" control access right on itself, and that Vdel MUST be the current password on the object."
You may increase LDAP logging level following this link https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/configure-ad-and-lds-event-logging. Diagnostics subkey referenced in the article may be chosen as 16 or 27 to check LDAP interface events or PDC password update notifications respectively. Logging level may be chosen as 4 (verbose).