Technical Tip: How to perform a manual password change via a Windows Machine template on a non-domain joined workstation

idumancic · ‎01-31-2025

Description

This article describes the case when trying to perform a manual password change via a Windows Machine template on a non-domain joined workstation (regular user account without admin privileges), the following error can occur in the FortiPAM GUI:

CMDBError: Password change failed (Secret server connection error. SAMR connection to machine failed. Error was NT_STATUS_ACCESS_DENIED).

Scope

FortiPAM, FortiSRA.

Solution

Regarding this error, there must be configured prerequisites for credential change via SMB on the non-domain joined workstation.

This error SAMR connection to the machine failed. The error NT_STATUS_ACCESS_DENIED is related to a Microsoft registry setting that should be adjusted.

The displayed error mentions that the SAMR (Security Account Manager) connection (remote SAM connection, or SAM-R) to the machine failed.

This means that the user is not able to perform a password change via SMB because it is not allowed to make remote calls to SAM (Security Account Manager).

In this case, some changes need to be made in the local workstations Group Policy under:
Computer configuration -> Windows settings -> Security settings -> Local policies -> Security options, select the 'Network access: Restrict clients allowed to make remote calls to SAM'.

Add the Directory Services Account (DSA) to the list of approved accounts to perform this action.

Technical Tip: How to perform a manual password change via a Windows Machine template on a non-domain joined workstation

You are leaving our website