Windows Proxy Invalid Operation verifying windows domain account with IP restriction.

book

Article ID: 107479

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

The target account is a regular domain ID, the only difference is that the ID is restricted and allowed to log on to several servers and server IPs are provided in the configuration of the domain account.

When the restriction is removed, the account will verify. With restriction it cannot. 

The domain account is set to use the proxy credentials to change the account. .

The error in the Windows proxy logfile is 1329 - Invalid Operation. 
WindowsAgent: Error: -1 : 1329-Invalid_operation

Environment

Password Authority 4.5.3.10

Active Directory  - setting the restriction:
Administrative Tools - Active Directory Users and Computers -  right-click on user and select Properties.
Go to tab 'Account' and choose 'Log on To'

 

Resolution

The 'Log on To' screen says right at the top:
In Computer name, type the computer's NetBIOS or Domain Name System (DNS) name.

IP addresses do not work.   NetBios names will work.  

 

Additional Information

There may be additional restrictions in the environment.  For example, if the Active Directory schema only allows 15 characters in a NetBIOS name, but the computers the user is restricted to have longer names, then this is not something that will work.   Otherwise, the Windows proxy will manage the password of a restricted domain account.