In Windows Proxy there was an issue that prevented local accounts on remote Windows servers from updating their own password, i.e. the "Account can change own password", unless the account was local on the Windows Proxy host.

To bypass this issue, customers configured a domain administrator account to perform the updates. This required the domain account to be in the Administrators group on each Windows host for which PAM managed local accounts.

You want this fixed in order to do to have to configure such a powerful account.

Engineering fixed this problem, solution will be included in PAM 4.3.1