-
제목
Check Password for Windows accounts fails with error “(0X80070005) Access is denied. (0) The store password for (System Name) DOES NOT MATCH the managed system” -
설명
Reset password works for managed account and the released password is correct. However, "Check Password" for the same account fails with the following message:
"(0X80070005) Access is denied. (0) The store password for (System Name) DOES NOT MATCH the managed system!"
After a "Check Password" that fails, on the target Windows machine there is Event 16969 Warning "remote calls to the SAM database have been denied in the past 900 seconds throttling windows" from Directory-Services-SAM source in the System events logs (These messages may be logged up to 15 minutes after the Check Password failure). -
원인
This is due to a new security policy "Network access: Restrict clients allowed to make remote calls to SAM".
According to Microsoft, the "Network access: Restricted clients allowed to make remote calls to SAM" security policy setting controls which users can enumerate users and groups in the local SAM (Security Accounts Manager) database and Active Directory.
-
해결 방안
Add the managed accounts into the "Network access: Restrict clients allowed to make remote calls to SAM" policy, to do this:
- Open Local Security Policy, click Start, type secpol.msc
- Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
- Right-Click and Select Properties
- On the Template Security Policy Setting, Click Edit Security
- Under Group or user names, Click Add
- Under the Select this object type dialog box, type Users (or another local group that includes all managed accounts as its members, or name of managed accounts) in the Enter the object names to select text field, and click Check Names, then Click OK
- Leave everything default, and Click OK
More information from Microsoft on this setting can be found here
Note: For step #6, if adding a group that contains the managed account does not resolve the issue then it may be necessary to add the functional account / managed account explicitly to the above policy. Restart is not required for this policy to take effect.
-
추가 정보
The security policy settings applies to the following operation systems:
Windows 10, version 1607 and laterWindows 10, version 1511 with KB 4103198 installedWindows 10, version 1507 with KB 4012606 installedWindows 8.1 with KB 4102219 installedWindows 7 with KB 4012218 installedWindows Server 2016Windows Server 2012 R2 withKB 4012219 installedWindows Server 2012 with KB 4012220 installedWindows Server 2008 R2 with KB 4012218 installed
The Group Policy setting is only available on computers that run Windows Server 2016 or Windows 10, version 1607 and later. This is the only option to configure this setting by using a user interface (UI).On computers that run earlier versions of Windows, check if the following registry value exists:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam