Error occur while performing Password Change on Windows server in workgroup.
Error: "Access is denied, The Network Path was not found."
This error occurs for following reasons:
Issue 1: The required NetBIOS Port 445 for password change is not opened (From PAM Web access server to Target Windows servers)
Issue 2: The Local Computer Policy: ‘User Account Control: Admin Approval Mode for Built-in Administrator Account’ and ‘User Account Control: Run All Administrator in Admin Approval Mode’ are enabled on the Target Windows servers.
Issue 3: LSA - LMCompatabilityLevel
Below port opening required from Sectona PAM Web Access server to all target Windows servers:
Sectona PAM Web Access server
All target Windows servers
The Local Computer Policies on the target Windows server mentioned below:
- User Account Control: Admin Approval Mode for Built-in Administrator Account
- User Account Control: Run All Administrator in Admin Approval Mode
Need to be disabled for PAM application to connect target server and reset password of privilege accounts. If the Policies are originally in ‘Enabled’ mode, then after disabling them a system restart may required for the Policies to get applied on target servers properly.
To check the User Access Policies on servers, follow below mentioned path:
Open group policy editor Run > gpedit.msc > Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > select policy ‘User Account Control: Run all administrators in Admin Approval Mode’ and ‘User Account Control: Run All Administrator in Admin Approval Mode’ and select Disabled and apply > OK.
If there is a Hardening Policy enforced on all the windows server and in that Hardening Policy, the LMCompatibilityLevel has been set on all the servers.
In this case LMCompatibilityLevel should be set at same level on all the servers including Sectona Web Access Server.
To check the LMCompatibilityLevel on the servers follow the below path:
Open registry editor > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Lsa > LmCompatibilityLevel
If the LMCompatibiltyLevel is different on all the Windows Servers, then configure the same value on all target Windows server including Sectona Web Access Server.
But if there is no such Hardening Policy consisting a specific configuration related to LMCompatibility Level then you can either disable this policy by configuring the value to ‘0’ or just delete the policy from the server.