Check out this video starting at 13:20.  He talks about how he is able to update user properties with the update user component by first creating a single value data mapping to update individual user properties instead of updating the properties within the UpdateUser component.  Hope that helps. 

https://www-secure.symantec.com/connect/videos/workflow-use-case-active-directory-account-expiration-management

Joe Van

I'm trying to make a password reset workflow and find that I get the same "General access denied error" Active Directory error when I'm trying to use the "Reset User Password" component. I'm pretty sure this is boiling down to a permissions/rights issue where the WF components are trying to write to more fields than my service account has permissions for. The service account I'm using does have reset password permissions, but apparently this is not enough for the "Reset User Password" component too. Our environment is on super-duper security lockdown, so the service account I'm using only has write permissions in AD for the 4 custom attributes and reset password permission. Unfortunately I can't admin AD myself and must go through our Networking department to get permissions adjusted on the service account I'm using after two different approvals are granted. This makes being able to test this myself impossible.

So, does anyone know what the minimum AD permissions are for a service account to successfully use the "Update User" and "Reset User Password" AD Workflow components?

Per the information provided by the help screen for the Reset Password component the user must be a Domain Admin.