An target account is defined with Application type Windows Proxy.
In the "Windows Proxy" configuration tab for the target account definition, the option to "Use the following account to change the password" is selected and an account with administrative privileges, defined for the same Windows Proxy application type is specified.
The goal is to have a service account to change or rotate the passwords of the unprivileged local accounts residing in the machine running Windows Proxy
However, on saving the target account, it fails to save and to update the password at the target server.
By default and unless specified PAM will try to save/synchronized the account created with whatever password has been typed in the password field under Account, or whatever password has been generated in the same section of the Target Account definition.
It will not try to use the Windows Proxy application to force the password change if the password specified in that field does not match the real password of the target account at the target server, unless the option to "Force password change" is selected in the Windows Proxy section of the Target Account definition
CA PAM all versions
Make sure that the Force passsword change checkbox
is selected in the Windows Proxy section whenever defining the target account to be managed through another account.