For specific recommendations about aspects of Microsoft Active Directory security, you'd really be better off asking Microsoft about it. Critical things like security parameters should be reviewed by an expert in that area.
What I'd recommend:
- Configure a user as specified in the solution.
- Consult Microsoft about how to enable audit logging so that all actions can of the user can be logged, or capture events, or do whatever Microsoft recommends to capture information about what happens.
- Perform your desired reset operation test from APM, just as an end user would.
- Provide the audit logs (or whatever data) to Microsoft and ask them what the absolute minimum permission required for the user to perform the operation(s).
I'm fairly certain that the passwords resets are done as the user changing the password and not as the administrator user. But you can certainly test it both ways, it won't hurt anything to do this in a lab test.
Nimbostratus