In a Window target server has been configured with a Windows Remote Connector, accounts have problems changing their own passwords, receiving a message about being unable to update the password due to "password restrictions". This message is visible in the catalina.out log downloaded from PAM. Verifying the right password does not have a problem. Using another account to change one's password doesn't have a problem either.
This may be due to several reasons, but the one we are going to discuss in this article has to do with the Windows Policies and the operation of PAM.
This error may be obtained if the account is configured with a Password View Policy which requires password change every time it is checked out or viewed and the Windows Account policy is configured not to allow password change before 1 day, for instance.
In this particular case what happens is that PAM will try to rotate the password every time it is checked out, that is, every time it is used for autologin, or to access an application, etc. However, if the change happens before 1 day (or whatever time period has been chosen in the windows Policy), and the account itself is the one doing the change of its own password, that will be in contradiction to the overall windows policy and the operation will fail.
PRIVILEGED ACCESS MANAGEMENT, all versions
There is only one solution: resolve the contradiction by carrying out any of the following two possible operations