Adam, Howard, and list,
Upon Howard's suggestion, I went and re-read the docs on ACL's for slapd.conf. What I came up with is the following (I'll change the first asterisk to the specific attributes once I've actually got it working...):
# ACL's access to * by dn.exact="cn=pwdchanger,dc=example,dc=com" write by * break
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange by self write by * auth
access to * by * read
I also set the 'ldap admin dn' to be cn=pwdchanger,dc=example,dc=com in my smb.conf, and added him to the smbpasswd database.
I'm happy to report that my initial testing shows that ppolicy indeed is being adhered to now. A big thank you to Howard, Adam, Pat, and others who assisted me. I have noticed, as Thierry Lacoste pointed out, that Windows reports a successful password change when the password fails ppolicy restrictions - but ONLY if I have logging set to 0. I have no idea why the two are related. If I have logging turned on (even to 1), Windows reports "The system cannot change your password now because the domain DOMAINNAME is unavailable", but at least it's confirmation on the user end that the change didn't take. However, this is a Samba issue, not an LDAP issue, so I'll take my findings to their mailing list.
Again, thanks to those who helped me.
Best Regards, Ryan