Operations on users and tokens require Domain Admin privileges or membership in SystoLock Administrators group.
If your users or OUs have disabled permission inheritance (which is very common for users in IT departments), you will likely to encounter a "Permission denied" error if you try to assign a token to a user with insufficient rights that either itself has its permissions inheritance disabled or resides in an OU with permissions inheritance disabled.
Additionally, most administrator objects have special security descriptors attached to them that would prevent you from successfully assign a token to these users - any permissions assigned explicitly to those users would be reversed to those defined in a special container in AD.
To mitigate this problem and correct permission required for this operation, you can either use a PowerShell CmdLet
Grant-SystoLockAccountManagementPermission to grant the necessary permission to a specific user, or you can use the script provided here to scan for and correct the needed permission in the whole directory.
The script is available here for download: Restore-Permissions.ps1. Make sure you have "Domain Admins" privileges before executing these commands.
Grant-SystoLockAccountManagementPermission -DistinguishedName 'ou=Example,cn=Users,dc=company,dc=com'
Get-AdUser Example | Grant-SystoLockAccountManagementPermission
Get-ADOrganizationalUnit Example | Grant-SystoLockAccountManagementPermission
# or any of the below script usages:
.\Restore-Permissions.ps1 -RestoreContainers -RestoreUsers
.\Restore-Permissions.ps1 -RestoreContainers -RestoreUsers -RestoreSDHolderTemplate
.\Restore-Permissions.ps1 -RestoreUsers -RestoreSDHolderTemplate