Hi,
What is the exact error message you receive when you are told the user has insufficient rights?
For your second question, I do not believe that unlocking a locked account was part of the original design of the Password Reset process - although it is a good suggestion. As all AD environments and company policies are a little different, the process can't be perfect for all users. However, Password Reset is one of the processes that are available for you to modify using the Workflow Designer.
If your organization does not have internal experience with Workflow, you always have the option to seek assistance from Symantec partners who can help customize the processes to your requirements.