The Access Denied error may be due to any of the following:
- Insufficient permissions on the user object for the Password Manager service account
- Explicit Deny for the Password Manager service account
- Inheritance is disabled on the user object
To confirm, use either Active Directory Users and Computers (ADUC) or ADSIEdit to:
- Review the permissions on the user object
- Check the Effective Permissions on the user object that received the "Access Denied" error for the Password Manager service account (i.e. domain\pmsvc)
To resolve the "Access Denied" error (the missing permissions), do the following:
- If Inheritance is not turned on, enable it and let the permissions override what is currently set
- Follow the Password Manager minimial permissions guide and grant the appropriate permissions as required by Password Manager:
https://support.quest.com/password-manager/kb/27946
For additional information, please refer to the following Microsoft KB article:
https://technet.microsoft.com/en-us/library/cc772184.aspx