FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
This article describes the issue of being unable to change the password for a Windows local user. The error message 'Password change failed (SAMR connection to machine failed. Error was NT_STATUS_ACCESS_DENIED, but LANMAN password changes are disabled)' is encountered.
Scope
FortiPAM.
Solution
To resolve this issue, it is necessary to understand that Microsoft Windows 2025 has updated its security policy and no longer allows password changes using the Samba method. The current workaround is to use LDAPs for password changes.
Here are the steps to follow:
Ensure that the Windows machine is configured to allow LDAP connections.
Configure FortiPAM to use LDAP for password changes.
Test the password change functionality to ensure it is working as expected.
Additionally, it is recommended to review the Microsoft documentation on the updated security policy for Windows 2025, which can be found at What's new in Windows Server 2025.
