I've used the "Delegate Control" wizard on my root domain object to attempt to assign password reset permissions. However it seems no combination of delegation permissions seems to work. Even if I delegate Full Control to my LDAP bind user, the error coming back from moodle when the user attempts to change their password is:
Error code: errorpasswordupdate
- line 476 of /lib/setuplib.php: moodle_exception thrown
- line 110 of /login/change_password.php: call to print_error()
Only when I add my bind user to domain admins does it function properly. I realize this is more AD related than moodle, but I'm hoping somewhere here has had a similar experience and can help.