This error can sometimes be solved by clearing the active directory userParameters property. To edit this you will need adsiedit, which is available in the support tools package, which if its not installed is located at \support\tools\supptools.msi of SBS disk 2
If this does not solve the issue, another thing you can try is to check that all FSMO roles are held by this server. They should be as its an SBS server, but its worth checking. If you are unsure you can always seize the roles.
It appears that your default domain policy is enforcing minimum password complexity- you will probably need to edit Group Policy if you want to change this behaviour.
From Microsoft:
"Password must meet complexity requirements
This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. By default, the value for this policy setting in Windows Server 2008 is configured to Disabled, but it is set to Enabled in a Windows Server 2008 domain for both environments described in this guide.
When this policy setting is enabled, users must create strong passwords to meet the following minimum requirements:
Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters.
Passwords must be at least six characters in length.
Passwords must contain characters from three of the following four categories:
English uppercase characters (A through Z).
English lowercase characters (a through z).
Non-alphabetic characters (for example, !, $, #, %).
Each additional character in a password increases its complexity exponentially.
For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations.
At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack such a password.
A seven-character alphabetic password with case sensitivity has 527 combinations.
A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations.
An eight-character password has 268 (or 2 x 1,011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords.
Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as "!" or "@".
Proper use of the password settings helps to prevent the success of a brute force attack."
Source: http://technet.microsoft.com/en-us/library/cc264456.aspx
Best Answer
To my knowledge this can't be set for a default for that tool.
However, you can set Group Policy so that users are disallowed from password changes at that level.
User Config -> Policies -> Administrative Templates -> System -> Ctrl+Alt+Del Options
There is a "Remove Change Password". There are some others scattered about, so look for them.
We're doing something similar. The reason for this is that we have a non-Microsoft password change procedure we've built, thanks to the need to synchronize password changes to multiple systems. If users change their AD password through native tools, their password won't get synced to other systems and they'll call the helpdesk when they can't get in. This also allowed us to put robust password quality rules in place before our underlying systems all supported it.