Management of local users on remote Windows hosts by the Windows Proxy

Document ID : KB000005013
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

A Windows Proxy running on one target device is used to manage local Windows accounts on other remote Windows target devices that are not part of a domain, i.e. use of a privileged domain account to manage local accounts is not possible. When a local account on a remote target device is configured in CA PAM with application type Windows Proxy and change process "Account can change own password", the password can be verified successfully by the Windows Proxy, but an attempt to update the password fails with error "The specified network account name or password is not correct. (Windows proxy error: 86-ERROR_INVALID_PASSWORD) Error updating account credentials."

Cause:

This is a limitation of the Windows network management functions used by the current Windows Proxy implementation.

Resolution:

Define another target account for a privileged user on the remote target that has privileges to change the password of other local accounts, and use change process "Use credentials from the following account", specifying the privileged account, instead of "Account can change own password" for the other local target accounts. To manage the privileged account itself, you will need two privileged accounts that can change each other's password. These account can be different on each remote target device, but have to be defined for each of them.

If a privileged user account existed on each of the Windows target devices, including the device where the Windows Proxy is installed, with the same username and password, running the Windows Proxy service as that user (using the "Logon As" service configuration option) would resolve the problem.