ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Local Windows account management via a Windows Proxy fails with a 1792-Invalid_operation error

book

Article ID: 186325

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We are not able to manage local Windows target accounts on domain servers using a Windows Proxy installed on another domain member. When we try to change the target account from unsynchronized to synchronized, we see the following error in the Windows Proxy log:

CSPMAgentService::verifyWindowsAccountPassword. Operation not successful, message: 1792-Invalid_operation

Cause

Windows error 1792 is ERROR_NETLOGON_NOT_STARTED
Checking the Windows event logs on the target server showed the following event at the time the account tried to logon from the Windows Proxy host:

Failure Information:
 Failure Reason:  The NetLogon component is not active.
 Status:   0xC0000192
 Sub Status:  0x0

Environment

This applies to any PAM environment using the Windows Proxy target connector.

Resolution

To allow the PAM Windows Proxy installed on one host to manage local accounts on another host, the Netlogon service needs to be running on the target server and allow remote login of the managed accounts from the host where the Windows Proxy is installed.