Password doesn't meet the Domain or Local Password Policy when generating a password via PAM
search cancel

Password doesn't meet the Domain or Local Password Policy when generating a password via PAM

book

Article ID: 380562

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Privileged Access Management (PAM) Admin has noticed periodically users password are not getting rotated in Active Directory.

Looking into it further, in Microsoft's Event Viewer, they are getting the Event:

Windows Event ID 4724 - which indicates that a new password does not meet the domain or local password policy. This event can occur when a user attempts to reset another account's password

Cause

There was a defined Windows Domain Policy that was using the following setting:

Disallow consecutive identical characters 

defined, which we don't have the exact equivalent.

 

Resolution

Traditionally, there should only be one Password Composition Policy in the picture and not both a PAM and Active Directory one.

Nonetheless, in this particular case, we don't have the exact setting in PAM, but updated our Password Composition Policy to also include:

  • Disallow Repeating Characters
  • Disallow Duplicate Characters

after this the issue no longer appears.