We have this error message "Failed to enable password change permission on the 'XXXXXX' object in AD" when we register a server with UNAB.

Release : 14.0

Component : PAM SERVER CONTROL UNAB ENDPOINT

Basically admin rights are needed or one can try to begin removing them testing with the few it works, see:

Whether computer object password will be enabled while endpoint is registered with a particular account depends completely on that account properties in Windows.   Success is a given for members of administrative groups such as Domain Admins, Enterprise Admins.    You can use a hybrid approach by putting a user in an adiministrative group, then removing his rights one by one in the Advanced view of the Security tab.     What you will see there depends on their Group Policy, so it is impossible to give a reliable cut-cookie advice.   Below is an example of where we pruned rights of a user aduser2 that initially put into Enterprise Admins group and password change enablement worked OK with that set.  Possibly some others can be dropped as well.  Here we just wanted to show the principle and possible approach (here in ADUC).  Their mileage may vary