It may be necessary to rotate the passwords of domain users from a member server which is part of a Domain so that no direct connection is made to the Domain Controller

The present article explains how such functionality may be achieved

CA Privileged Access Manager, several versions

This may be achieved by installing the PAM Proxy service to run on a member server (no Domain controller) subjec to the following conditions

 * The PAM Proxy service needs to run as a Domain Admin account or an account with the necessary rights to carry out user operations (reset password fundamentally). This can only be achieved if the said user is either an Administrator or a Managed Service Account (for which the privilege to change users passwords is granted even if it is not an administrator)

* In CA PAM the PAM Proxies used to rotate the passwords must be specified by FQDN. Other definitions, like for instance by IP address, may result in errors or inability to carry out the operation 

* In the same way, in the PAM Proxy Application the account type must be specified as Domain Account, the "Domain Controllers are on Servers" option must point to the FQDN of the DC in the domain, and the full domain name must as well be indicated in the Domain name box

* When defining the target account, and specifying the PAM Proxy Application, the target account must be set to "Use proxy credentials to change the password"

This set up will allow management of passwords, even for Protected Users.