I am testing out ADSelfService Plus.  Since using a Domain Admin account is not an option I am trying to get it setup using a lesser privileged user.  I found  http://www.manageengine.com/products/self-service-password/admin-guide.pdf which has some information on the permissions that will be needed.  

ADSSP is connecting to the domain using a user called nonadmin.  I have delegated permission to that user to be able to reset passwords and R/W on the lockoutTime attribute on the OU where my test user is.

I am able to reset that users password without an issue, but when trying to unlock the user, I am getting Access is Denied.

I tried setting the ADSSP service to run as the nonadmin user, but that only cause reset password to also fail.

Are there any other permissions that are needed or something that I can check to get this working?

Thanks