Local Windows account management via a Windows Proxy fails with a 1792-Invalid_operation error
Article ID: 186325
CA Privileged Access Manager (PAM)
We are not able to manage local Windows target accounts on domain servers using a Windows Proxy installed on another domain member. When we try to change the target account from unsynchronized to synchronized, we see the following error in the Windows Proxy log:
CSPMAgentService::verifyWindowsAccountPassword. Operation not successful, message: 1792-Invalid_operation
This applies to any PAM environment using the Windows Proxy target connector.
Windows error 1792 is ERROR_NETLOGON_NOT_STARTED Checking the Windows event logs on the target server showed the following event at the time the account tried to logon from the Windows Proxy host:
Failure Information: Failure Reason: The NetLogon component is not active. Status: 0xC0000192 Sub Status: 0x0
To allow the PAM Windows Proxy installed on one host to manage local accounts on another host, the Netlogon service needs to be running on the target server and allow remote login of the managed accounts from the host where the Windows Proxy is installed.