In a Window target server has been configured with a Windows Remote Connector, accounts have problems changing their own passwords, receiving a message about being unable to update the password due to "password restrictions". This message is visible in the catalina.out log downloaded from PAM. Verifying the right password does not have a problem. Using another account to change one's password doesn't have a problem either.

PRIVILEGED ACCESS MANAGEMENT, all versions

This may be due to several reasons, but the one we are going to discuss in this article has to do with the Windows Policies and the operation of PAM.

This error may be obtained if the account is configured with a Password View Policy which requires password change every time it is checked out or viewed and the Windows Account policy is configured not to allow password change before 1 day, for instance.

In this particular case what happens is that PAM will try to rotate the password every time it is checked out, that is, every time it is used for autologin, or to access an application, etc. However, if the change happens before 1 day (or whatever time period has been chosen in the windows Policy), and the account itself is the one doing the change of its own password, that will be in contradiction to the overall windows policy and the operation will fail.

There is only one solution: resolve the contradiction by carrying out any of the following two possible operations

• Set up the Windows Policy (type gpedit.msc and go to Windows Settings/Security Settings/Account Settings/Password Policies and modify the "Minimum Password age" setting to zero) to allow immediate password changes
• Use the default Password View Policy which does not require password to be changed every time it is used or viewed, and configure a job to rotate all passwords every certain period of time, according to the security needs of the company.