The user account that is generating the error must be examined in Microsoft Active Directory Users and Computers (ADUC) or ADSIEdit.
Check the Effective Permissions on that account and the permissions of the Password Manager service account on the user. The issue could be due to a lack of inheritance or an explicit Deny on the account.
For additional information, please refer to the following Microsoft KB article:
Also refer to the following KB for Password Manager minimal permissions, most notably that the service account has full Read/Write permissions on the Comment attribute as well as permissions to Reset password.