As you may know the best practices regarding Active Directory account permissions is to set them with the least required. In order to??set the minimum permissions required to enable password reset with FIM SSPR you??will have to set the permission as following in you Active Directory.
Open Active Directory Users and Computers with advanced features.
Right-click on the parent OU on which??you want to enable Self Service Password Reset for and select ???Properties??? (child OUs will inherit these permissions)
Click the ???Security??? tab
Click the ???Advanced??? button
Click the ???Add??? button
Select the principal as the FIM service account being used for password reset.
From this point you need to select the following options:
Set ???Applies to:??? to?????Descendant user objects???, then:
- In the ???Object??? part??tick ???Change password??? and ???Reset password???
- In the ???Properties??? part??tick ???Change password??? and ???Reset password??? then tick ???Read lockoutTime???, ???Write lockoutTime???, ???Read userAccountControl???, and ???Write userAccountControl???