I have granted the PASSWORD role to several OU's so the members in that OU can alter the password policy (add and delete users) and allowed a scope from the root of the tree including subcontainers.

However when anyone in these OU's tries to add someone to a password policy they get error -672 - Client does not have rights.

I have even tried adding a user to this role, and get the same message.. the only users who can assign users to a policy is myself and the initial admin account.

Without granting too much access how can I allow certain users to use this role so I dont have to get involved in every single account creation.