Registry key LocalAccountTokenFilterPolicy can not be set through an explicit configuration option within the Group Policy Management Editor.  Instead it needs to be set through the definition of a custom registry key property.  Within the Group Policy Management Editor this can be done at the following location:

1. gpmc.msc
2. Create an Organizational Unit called "PAM Windows Remote Servers"
3. Add all PAM Windows Remote Servers to this list
4. Right Click on this new Organizational Unit
5. Select "Create a GPO in this domain, and Link it here"
6. Give the GPO a "NAME" (IE: PAM WMI Registry Settings GPO)
7. Select this newly create GPO
8. Right click on it and select "Edit"
9. Under Computer Configuration >> Preferences >> Windows Settings 
10. Right Click Registry >> New >> Registry Item:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Value Name: LocalAccountTokenFilterPolicy
Value Type: REG_DWORD
Value Data: 1

 

 

 

 You will also need to ensure the security policy is not restricting "Minimum password age" if you will be setting "Account can change own password" as the Windows Password Policy would prohibit password updates within the minimum password age.

If the Windows Server is  a standalone server (not joined to an AD domain), then you can modify the local security policy. If it joined a domain, then you will need to modify this from GPO at the domain controller.

If you select "Use the following account to force change password" and choose another admin account, then the password can be rotated multiple times a day even if the "Minimum password age" is set to 1.