A Windows Remote target account called LocalUser has been configured in PAM to have target account LocalAdmin rotate its password. The target account can be verified successfully, but the following error occurs when trying to rotate the password.

UpdateTargetAccountCmd.invoke Failed to synchronize password with target

In the Tomcat log, the following messages about accessing the TEMP folder are seen at the time of the error.

2026-04-16T15:38:45.913+0000 WARNING [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager.updateWindowsCredentials Updating credential for account LocalUser on server 10.#.#.1 by admin account LocalAdmin with net rpc didn't succeed.
Reason: [Enter new password for LocalUser:
Failed to set password for 'LocalUser' with error: The specified network name is no longer available..
]. Use rwin to do this operation again.
2026-04-16T15:38:45.913+0000 WARNING [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.init Setting hostNameOrIP, useKerberos: false, hostName : 10.#.#.1, IP :10.#.#.1
2026-04-16T15:38:45.913+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.setupSmbVariables Getting Windows TEMP folder for user LocalAdmin on host 10.#.#.1 by means of WMI.
2026-04-16T15:38:45.913+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.setupSmbVariables SMB command line: /usr/bin/python3, /opt/cloakware/cspmserver/rwin/wmiexec.py, LocalAdmin:********@10.#.#.1, "echo ###%TEMP%###"
2026-04-16T15:38:46.672+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.setupSmbVariables Getting Windows TEMP folder for user LocalAdmin on host 10.#.#.1 by means of WMI.
2026-04-16T15:38:46.673+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.setupSmbVariables SMB command line: /usr/bin/python3, /opt/cloakware/cspmserver/rwin/wmiexec.py, LocalAdmin:********@10.#.#.1, "echo ###%TEMP%###"
2026-04-16T15:38:47.421+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.setupSmbVariables Getting Windows TEMP folder for user LocalAdmin on host 10.#.#.1 by means of WMI.
2026-04-16T15:38:47.422+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.setupSmbVariables SMB command line: /usr/bin/python3, /opt/cloakware/cspmserver/rwin/wmiexec.py, LocalAdmin:********@10.#.#.1, "echo ###%TEMP%###"
2026-04-16T15:38:48.153+0000 WARNING [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.setupSmbVariables Attempt to get Windows TEMP folder for user LocalAdmin on host 10.#.#.1 failed with exit code 1
2026-04-16T15:38:48.153+0000 SEVERE [com.cloakware.cspm.server.plugin.targetmanager.WindowsRemoteAgentTargetManager] com.cloakware.cspm.server.plugin.targetmanager.windowsRemoteAgent.WindowsRemoteAgent.begin PAM-CM-4049: Windows Remote process returns 1, with Administrator account LocalAdmin on target server 10.#.#.1.

The most common cause for the errors about access to TEMP is User Access Control (UAC) being enabled on the Windows server. In this case, the LocalAccountTokenFilterPolicy registry key was set to 0. Per the Prerequisites for Using the Windows Remote Connector documentation, this must be set to 1 in order for the Windows Remote target application to work

Log into the Windows server as LocalAdmin and open regedit, then set LocalAccountTokenFilterPolicy to 1. The target account will now rotate the password successfully. No reboot nor service restart is required after changing this registry key.

If the registry key needs to be set on multiple Windows servers in a domain, refer to KB118437: Windows Remote UAC Setting in a Group Policy Workaround for instructions on creating a Group Policy for those servers.