-
Title
TPAM fails to change service account passwords error "HRESULT: 0x80070005 (E_ACCESSDENIED)" -
Description
When using the "Change password for Windows Services started by this account?" on a "Windows AD" platform TPAM does not update the service account passwords.
"Reset Password" logs for the managed account show the following error:
"Error connecting to IP_ADDR as DOMAIN\FUNCACCT to change service passwords: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))" -
Cause
TPAM uses WMI/DCOM to update the service account password, 0x80070005 (E_ACCESSDENIED) means the functional account is not priviledged to remotely connect via WMI/DCOM and/or update the service password
-
Resolution
- Ensure the WMI/DCOM permissions are correct allowing remote access and access to update information. With default Microsoft permissions the functional account will need to be a domain administrator, otherwise the functional account will need to have the rights delegated and UAC disabled.
- Ensure you can run WMI/DCOM outside of TPAM, for example using Powershell command similar to the below to retrieve a service, and update the password.
Get-WmiObject -Class Win32_Service -ComputerName <managedplatform> -filter "name='<servicename>'" -Credential yourdomain.com\funcacct | Invoke-WmiMethod -Name Change -ArgumentList @($null,$null,$null,$null,$null,$null,$null,$null,$null,$null,"newpassword")
- Ensure the firewall is set allow WMI/DCOM traffic from TPAM/DPA- Ensure all the required services are enabled for WMI/DCOM to operate.