When managing Windows accounts users may find that a Reset Password works as expected but consistently Check Password fails.
Necessary local policies and TPAM System Settings to be checked for Windows managed hosts when the managed account cannot run ‘Check Password’, or login.
1. Access this computer from the network
This user right determines which users and groups are allowed to connect to the computer over the network. Terminal Services are not affected by this user right.
Default on workstations and servers:
2. Deny access to this computer from the network
This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the ‘Access this computer from the network’ policy setting if a user account is subject to both policies.
3. Network access: Sharing and security model for local accounts.
This security setting determines how network logons using local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource.
If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account. By using the Guest model, you can have all users treated equally. All users authenticate as Guest, and they all receive the same level of access to a given resource, which can be either Read-only or Modify.
Default on domain computers: Classic.
Default on stand-alone computers: Guest only
4. Setting of the TPAM managed Windows host NetBIOS computer name. This setting needs to be entered when configuring the managed host in TPAM /PAR interface.
The Computer Name field in the Systems Management ‘Details’ pane is required for password management and is also used for TPAM’s Autologon feature. If this field is not populated manually with the NetBIOS computer name, TPAM will attempt to determine the system’s computer name when the system is tested, and update the field after attempting to access the managed windows host through ports 135-139, which need to be open.
It is possible to update the Computer Name field on all Windows Systems configured in TPAM using the Batch Update functionality and the following solution details the process to acheive this -
5. Account is not present on the managed system.