Wierd permissions on user accounts



We are migrating from NT 4.0 to 2003 AD. We are using the ADMTv.2 tool to
migrate computer and user accounts. While migrating accounts I have noticed
that there are different permissions applied to accounts that have been
migrated and accounts created in AD. After further investigation I also
noticed that if you create a account in the 2003 environment and user dsacls
to dump the permissions to a text file. Then on that same user account go
into the advanced security properties, click the Default button (which is
suppose to replace the permissions with the default settings). Now use
dsacls to dump the new permissions to a different text file. Use FC to do a
file compare and the permissions are different.

Why are the permissions different between a migrated account and a AD
created account?

Why are the permissions changed when you click the default button if you
haven't change the default permissions when you created the account?

What concerns me the most is that it changes the DENY EVERYONE CHANGE
PASSWORD permission to ALLOW EVERYONE CHANGE PASSWORD permission. I have
logged into our domain with a Domain User account <no special
rights/permissions> and this user was NOT able to change the password. The
permissions seem to be misleading.

The default button changes the following permissions.
DENY - EVERYONE - CHANGE PASSWORD ---> REMOVED
DENY - NT AUTHORITY\SELF - CHANGE PASSWORD ---> REMOVED

C:>fc before.txt after.txt
Comparing files BEFORE.txt and AFTER.TXT
***** BEFORE.txt
READ PROPERTY
Deny Everyone Change Password
Deny NT AUTHORITY\SELF Change Password
Allow Everyone Change Password
***** AFTER.TXT
READ PROPERTY
Allow Everyone Change Password
*****

Can someone confirm that this is normal? If possible I would also like a
explanation why it works like this.

NOTE: I didn't change any of the permissions up the structure of where this
user account is....
.