After upgrading PAM, the Active Directory out of the box connector is failing for some accounts in the environment while others are successful.

The issue was observed on Privileged Access Manager 4.2.1 and 4.2.2, but may also be present on 4.2.0 as well

The password was getting changed successfully in Active Directory, but the verification step that takes place after the password change was failing due to a change in the behavior for the 4.2.0 release. This resulted in the password being changed in Active Directory, but not saved in the PAM database. The failure was only happening on Active Directory target accounts with a special character in their user DN, in this case it was a backslash .

To confirm this is the issue, the following error message would be in the Tomcat log.

2025-06-11T05:07:38.851+0000 SEVERE [com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager] com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager.updatePasswordInActiveDirectory Failed to update password in Active Directory
    javax.naming.InvalidNameException: CN=LastName\, FirstName,OU=People,DC=example,DC=com: [LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090DEC, comment: Error processing name, data 0, v4563 ]; remaining name 'CN=LastName\, FirstName,OU=People,DC=example,DC=com'

The issue is resolved as 36324704/DE635037 in the 4.2.3 release. If upgrading to 4.2.3 is not an option at this time, please open a support case and reference this KB.