The target account is a regular domain ID, the only difference is that the ID is restricted and allowed to log on to several servers and server IPs are provided in the configuration of the domain account.

When the restriction is removed, the account will verify. With restriction it cannot. 

The domain account is set to use the proxy credentials to change the account. .

The error in the Windows proxy logfile is 1329 - Invalid Operation. 
WindowsAgent: Error: -1 : 1329-Invalid_operation

Password Authority 4.5.3.10

Active Directory  - setting the restriction:
Administrative Tools - Active Directory Users and Computers -  right-click on user and select Properties.
Go to tab 'Account' and choose 'Log on To'

 

The 'Log on To' screen says right at the top:
In Computer name, type the computer's NetBIOS or Domain Name System (DNS) name.

IP addresses do not work.   NetBios names will work.  

 

There may be additional restrictions in the environment.  For example, if the Active Directory schema only allows 15 characters in a NetBIOS name, but the computers the user is restricted to have longer names, then this is not something that will work.   Otherwise, the Windows proxy will manage the password of a restricted domain account.