Problem Statement

Error occur while performing Password Change on Windows server in workgroup.

Error: "Access is denied, The Network Path was not found."

 

Symptoms

This error occurs for following reasons:

Issue 1: The required NetBIOS Port 445 for password change is not opened (From PAM Web access server to Target Windows servers)

Issue 2: The Local Computer Policy: ‘User Account Control: Admin Approval Mode for Built-in Administrator Account’ and ‘User Account Control: Run All Administrator in Admin Approval Mode’ are enabled on the Target Windows servers.

Issue 3: LSA - LMCompatabilityLevel

Solution

Issue 1:

Below port opening required from Sectona PAM Web Access server to all target Windows servers:

Source

Destination

Port

Sectona PAM Web Access server

All target Windows servers

445 (NetBIOS)


Issue 2:

The Local Computer Policies on the target Windows server mentioned below:

  1. User Account Control: Admin Approval Mode for Built-in Administrator Account
  2. User Account Control: Run All Administrator in Admin Approval Mode

Need to be disabled for PAM application to connect target server and reset password of privilege accounts. If the Policies are originally in ‘Enabled’ mode, then after disabling them a system restart may required for the Policies to get applied on target servers properly.

To check the User Access Policies on servers, follow below mentioned path:

Open group policy editor Run > gpedit.msc > Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > select policy ‘User Account Control: Run all administrators in Admin Approval Mode’ and ‘User Account Control: Run All Administrator in Admin Approval Mode’ and select Disabled and apply > OK.

Issue 3:

If there is a Hardening Policy enforced on all the windows server and in that Hardening Policy, the LMCompatibilityLevel has been set on all the servers.

In this case LMCompatibilityLevel should be set at same level on all the servers including Sectona Web Access Server.

To check the LMCompatibilityLevel on the servers follow the below path:

Open registry editor > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Lsa > LmCompatibilityLevel


If the LMCompatibiltyLevel is different on all the Windows Servers, then configure the same value on all target Windows server including Sectona Web Access Server.

But if there is no such Hardening Policy consisting a specific configuration related to LMCompatibility Level then you can either disable this policy by configuring the value to ‘0’ or just delete the policy from the server.

Please contact us with any issues, questions or comments at: support@sectona.com.