Call me paranoid, but I decided that I wanted to know just how much
power I had given this service account by adding it to the "Account
Operators" group, so I researched it. Needless to say, I didn't like
what I learned. Less than a domain admin, but...
It is sufficient for the user name that is being used for LDAP queries
to be a member of the "Account Operators" group for the password change
dialogue to work. It may be that this will work if this user has even
fewer priviledges than those conferre...