Windows Proxy is a service used in CA PAM to manage local accounts on Windows servers from PAM. Its use may be extended as well to manage local accounts on machines other than the one where the Windows proxy is installed.

What ports do I need open on a remote server, server B, if I want its local accounts to be managed from an account, account A on another server, server A, and what permissions should account A have ?

CA PAM 4.0/ 4.0.x

Windows proxy may be used to manage local accounts on a server, server A and the ports it needs to have open are listed in the documentation. See for instance


https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-1/protect-privileged-account-credentials/default-ports-for-credential-manager.html

If there is an account, account A, in server A which will be used in windows proxy to manage the rest of the accounts, it will have to be part of the local Administrators group in machine A, or at least have the right to change other accounts passwords.

Another possible use case is to use the account on server A to change the local accounts on server B, a remote server. To be able to do this, account A shoulc be a member of the local Administrators in server B or at least have rights to change the accounts passwords on server B. Besides, the password change in server B  will be done through WMI, so port 445 for server B should at least be open for communications