Password checks fail but password changes are successful on AD domain accounts (4256673)

An AD directory account fails a "Password Check" with the below error:

"Queuing task.
Starting task.
Verifying Password.
The password for account managed_account does not match the password on the asset.
Saving task results.
The current account password does not match the password on the asset."

The following error is presented in the Operation log of the check password task:

Debug Access Denied Hercules.Modules.Exceptions.AccessDeniedException: Access to the resource was denied at Hercules.Modules.Windows.Ad.WindowsAdModule.d__15.MoveNext() in C:\BuildAgent7\work\148967a983189538\Source\Hercules.Modules.Windows.Ad\WindowsADModule.cs:line 309

The Activity Log may show "Unable to check password on asset ASSETNAME because the account ACCTNAME is locked or suspended"

Password changes are successful. If the password is checked out and manually used it works without issue.

ISSUE 1

The account has an expired password or "User must change password at next logon". Changing the accounts password will reset the flag on the account.

ISSUE 2

The account is locked out.

ISSUE 3
Check the managed AD Account properties > Account Tab > Log on To .. > verify if the account is allowed to log on to all computers or if only listed computers of which the Domain controllers are not allowed.

ISSUE 4

The account is a member of the Protected User2 security group in Active Directory.

Members of the "Protected Users" security group are unable to authenticate with NTLM authentication which prevents Safeguard for Privileged Passwords from successfully impersonating the account to check the password.

The following PowerShell command will show a list of all users in the Protected Users group