An AD directory account fails a "Password Check" with the below error:
The password for account managed_account does not match the password on the asset.
Saving task results.
The current account password does not match the password on the asset."
The following error is presented in the Operation log of the check password task:
Debug Access Denied Hercules.Modules.Exceptions.AccessDeniedException: Access to the resource was denied at Hercules.Modules.Windows.Ad.WindowsAdModule.
The Activity Log may show "Unable to check password on asset ASSETNAME because the account ACCTNAME is locked or suspended"
Password changes are successful. If the password is checked out and manually used it works without issue.
The account has an expired password or "User must change password at next logon". Changing the accounts password will reset the flag on the account.
The account is a member of the Protected User2 security group in Active Directory.
Members of the "Protected Users" security group are unable to authenticate with NTLM authentication which prevents Safeguard for Privileged Passwords from successfully impersonating the account to check the password.
The following PowerShell command will show a list of all users in the Protected Users group