You may receive the following error if configured self-service password reset and right set of permissions are not applied to the account used for AAD connect. Generally, this occurs because of MSOL services account or any other account that had been used to configure AAD connect and don’t have required permission to reset or unlock the account.

To rectify this problem problem you need to make sure the used account has right set of permission to perform the account/password related activities. There are two ways of doing it, either assign Account Operaters role to this user or assign specific permissions to this user.

To set specific permissions, Go to your Windows Server Active Directory and open Active Directory Users and Computers.

Enbale the Advanced Features from View.

Right click on root domain and go to the properties and then go to security tab.

Go to the Advanced ad then click on Add.

Click on Select a principal and then select a service/user account.

In the applies to section, select the descendant user objects.

Under the permission and properties, assign following permissions.

• Reset password
• Change password
• Write lockoutTime
• Write pwdLastSet

Click on Apply and OK.

Now, you are done with the configuration. Ask your user to try once again to reset his/her password.

He/She should be able to reset his/her password successfully.