We are trying to create new synchronized target accounts for local Windows accounts using a Windows Proxy target connector. The Windows target device shows a successful logon of the account from the Windows Proxy host when we try to save the account with option "Update both the Credential Manager Server and the target system" set, but the attempt still fails with a 5-ERROR_ACCESS_DENIED error.

Windows doesn't have the feature of a simple remote login just to see whether credentials work. The Windows Proxy makes a WNetAddConnection2() call to try to access a resource on the remote server with the credentials provided. For account verification we just use resource "\\<servername>". In case we have an IP configured as address in PAM we would be using "\\<IP>" .This normally is an empty folder with read access allowed.

Logged on from remote using the target account, open Windows Explorer and try to access \\<address configured in PAM>. It should have no error and typically shows an empty folder. If there is an error due to a permission or other issue, resolve that problem.