I have set up a WindowsDomain resource called "Domain Service Accounts" .  One of the accounts in this resource is the PMP service account.  The PMP Service runs under this account. 

By default I cannot verify any passwords on any of the accounts not even the service account that PMP runs under.  In order to verify the passwords I have to tick the box "Supply Credentials for remote synchronization" and select the PMP service account. then I can verify all the passwords in the resource.

OK fair enough but I also want to allow another team to create and manage a windowsDomain resource called SQL Service Accounts.  However I do not want to give them access to an account that has domain level privileges so that they can verify and reset passwords. 

Right I think the penny just dropped.  I was thinking why doesn't the service account reset the password and do the verify?  If the service account were allowed to do the reset then the other team could add any account they like, including a domain admin account and reset the password.  NOT GOOD.  

I've just tested what seems a reasonable way to do this.  Interestingly verify password works as long as I use any of the accounts in the resource as the  account to  "Supply Credentials for remote synchronization"  but password resets fail unless the account has the rights to reset the user account password.

Create an OU for the service accounts you want to allow the SQL DBAs to be able to manage.  Delegate password reset to a service account which will be stored as an account in the SQL Service Account Resources.  Set this account as the  "Supply Credentials for remote synchronization" account.  and then both verify and password reset works.

This is a little clunky but it appears to work!

If you just want them to be able to verify that the password is in sync then you can select any account in the resource and this appears to work OK.