Ok, after extensively testing the password / authentication process on both 5.01 & 5.02 betas, here are some observation relating to user password changes:
1. Scenario: Admin creates a User "A" with limited privileges but with ability to change settings and password.
(a) User "A" logs in successfully from his desktop with the password created by the admin.
(b) User "A" change his password and gets a confirmation that "change is saved"
(c) User "A" log out and tries to log in with his new password. Gets error message "Wrong username and/or password"
(c.i) User "A" flushes out his browser cache and retries to get the same message as noted above.
(d) User "A" uses Forgot password option and provides his registered email ID and satisfies the captcha. Gets a system confirmation that a new password has been emailed.
(e) User "A" attempts to login with the system provided temporary password but gets error message "Wrong username and/or password"
User "A" is now essentially locked out of the system with no option but wait for admin support.
(f) Admin resets user "A"'s password
(g) User "A" is now able to logon
Summary: Problem 1: It appears that even though an option is visible & checked in user profile allowing them to change password, it appears in reality such privilege, somehow is not reflected / posted in the database thereby allowing them to exercise their privilege as provisioned. Problem 2: Even though the system successfully send out an email with temporary password for this locked out user, it appears that such temporary password is not active and/or not posted in DB for authentication, thereby rendering it useless.
The above issues in my mind is very important in order to successfully authenticate users and help them to manage their passwords by refreshing them periodically. This also means better user experience as well as less overhead on the administrator.
Please let me know if you need any other information from me in finding a resolution for this bug.