Hi Scott, If you visit ConfigManager -> LDAP Permissions you'll get a list of all permissions required by the current configuration of PWM. It's in general terms so you will have to translate it to AD permissions. I'm personally not familiar with AD permissions so you may want to consult with a more AD-specific forum. And unfortunately, AD error messages are generally not very helpful.
The PWM Proxy user will need rights to set the password on the test user, and write to the various pwm* attributes. You will need to set the test user to a real user, not an LDAP container. The proxy user needs the same rights to the test user as it does all other users that PWM will be managing.
Additionally, for deep level troubleshooting you can enable LDAP Wire Trace logging and set log levels to TRACE, and there you can see exactly what LDAP operation is failing.
For the password notification service to run, the PWM Node Service needs to be working properly, which in turn requires the proxy user has rights to read/write to the the pwmData attribute on the test user. This mechanism is used to make sure that only a single PWM instance at a time will send notifications. You can debug the node service and the password expiration notification service on tabs in the admin module.