With the advent of the two Microsoft Windows Updates:
Web Active Directory recommends that you create a service account in your Active Directory domain dedicated to creating new accounts for IISADMPWD Replacement. IISADMPWD Replacement can use the service account to bind to your Active Directory to perform password changes.
By default accounts in Active Directory have the permissions to change passwords, please see:
When telling IISADMPWD Replacement to make use of this service account, please use the full userPrincipalName of the service account. (See the following screenshot where “email@example.com”, the full UPN, is used):
As of the time of this writing, use of such a service account can avoid these kinds of errors introduced by Windows Updates: