This error message is related to the lack of permission to change the password of the credential used.
To change the password for a credential in AD, the credential that will run the process must be a Domain Admin.
Example:
We are changing credential passwords using “srv_senhasegura” as the authentication credential. But when executing the exchange, we get the following error:
If you want to avoid giving the authentication account Domain Admin privileges, you can also delegate control of the OU(s) where the users are located and grant it the permission to reset user passwords. Doing this will allow the authentication account to change the passwords of the accounts that are located in the specified OU only.
To do this, right click the OU and select “Delegate Control”. Then follow the wizard.
ruter.junior
(Ruter Carlos Santos da Silva Junior)
4
what if the account is part of a protected windows group, by default it revokes delegations every 60 minutes because is a part object AdminSDHolder and execute a process SDROP and permissions inheritance is disabled in group