This error message is related to the lack of permission to change the password of the credential used.
To change the password for a credential in AD, the credential that will run the process must be a Domain Admin.
We are changing credential passwords using “srv_senhasegura” as the authentication credential. But when executing the exchange, we get the following error:
Viewing the credential groups in AD we have:
When we entered the authentication credential in the “Domain Admin” group as shown below, the password change was successfully performed.
If you want to avoid giving the authentication account Domain Admin privileges, you can also delegate control of the OU(s) where the users are located and grant it the permission to reset user passwords. Doing this will allow the authentication account to change the passwords of the accounts that are located in the specified OU only.
To do this, right click the OU and select “Delegate Control”. Then follow the wizard.
Great, Leonard! Great solution too.
what if the account is part of a protected windows group, by default it revokes delegations every 60 minutes because is a part object AdminSDHolder and execute a process SDROP and permissions inheritance is disabled in group