Hey, have you noticed, when you delegate write permissions for nt_SecurityDescriptor, you still cannot change an option ‚User cannot change password‘ ? When you try mark this option and save, all looks fine, because you can save it, but once you open user account properties again, you see that option ‚User cannot change password‘ is blank :\ . This is cause by missing permission to add ‚Everyone‘ – DENY in security Tab. Yes, you also must have permission to modify permission of user object. If you do not want to give Full permission, you must explicitly add and allow ‚modify permissions‘
