An AD directory account fails a "Password Check" with the below error:
The password for account managed_account does not match the password on the asset.
Saving task results.
The current account password does not match the password on the asset."
The following error is presented in the Operation log of the check password task:
Debug Access Denied Hercules.Modules.Exceptions.AccessDeniedException: Access to the resource was denied at Hercules.Modules.Windows.Ad.WindowsAdModule.
Password changes are successful. If the password is checked out and manually used it works without issue.
The account is a member of the Protected Users security group in Active Directory.
Members of the Protected Users security group are unable to authenticate with NTLM authentication which prevents Safeguard for Privileged Passwords from successfully impersonating the account to check the password.
The following PowerShell command will show a list of all users in the Protected Users group