We use the Windows Proxy to manage local accounts on remote servers in our domain. The Windows Proxy service is run by a domain account, and the target accounts in PAM are configured to use Proxy credentials to get the password updated, i.e. the domain account performs the password update. The domain account has the required permissions to perform the password updates. When we update the target account password, it looks like the password is changed on the target server, but PAM fails the update. In the Windows Proxy log cspmclient\log\cspm_client_log.txt we don't see an Update error, only two Verify errors:
WARNING: Tue February 09 15:41:57.135 CST 2021 CSPMAgentService::verifyWindowsAccountPassword. Operation not successful, message: 1326-ERROR_LOGON_FAILURE
WARNING: Tue February 09 15:41:57.213 CST 2021 CSPMAgentService::verifyWindowsAccountPassword. Operation not successful, message: 1385-ERROR_LOGON_TYPE_NOT_GRANTED
The managed account was not allowed remote logon, which is required by PAM to verify that the new password is set on the target device.
The first error 1326-ERROR_LOGON_FAILURE is expected. PAM always attempts a Verify of the new password first before proceeding to update the target account. The absence of any error during the update confirms that the service account in fact successfully updated the target account password on the target server. But the target account was denied logon with the new password, causing PAM to regard the update as failed.
The problem was caused by local security policy setting Local Policies > User Rights Assignment > Deny access to this computer from the network. This included item "Local account and member of Administrators group".
Release : 3.4
Component : PRIVILEGED ACCESS MANAGEMENT
Removing 'Local account and member of the Administrators group' from the 'Deny access to this computer from the network' policy resolved the problem.
Note that both local and domain policies have to be reviewed. The local policy editor may not show such a setting, but it could still be enforced by a domain policy. If the above change doesn't resolve your problem, please review Windows Event logs for other possible causes, and open a case with PAM Support if needed.