I am a domain administrator, not a TPAM administrator, but needed to run this by you all as best I could to see if anyone has had this issue or has a solution?
Our TPAM service account is receiving an Access Denied error when trying to change an account's password and this happens when pointing to one of our new Windows Server 2019 domain controllers. We have been replacing our 2012R2 with 2019 and we are down to the last 2012R2. This Access Denied error occurs when they point TPAM to the new DCs but it works fine with the last 2012R2. We have verified all the individual security permissions are still there from the initial stand-up a few years ago so what changed with the new DCs? Also, IF the service account were placed in the Administrators group, it works fine.
We have ruled out GPOs by running a test with a 2019 DC in a GPO blocked OU but the problem persists. Also compared the Local Security Policies on one of each, 2012R2 and 2019, and didn't find anything that would cause this access issue. Also checked UAC when we found a difference in settings but again, no luck.
We are at the point now of having to build a new server ourselves with the 2019 ISO and not the template our VMware team used.
I suspect something changed with Windows Server 2019 as far as maybe a new permission that we need to give to the TPAM service account. Any thoughts, ideas, or solutions would be greatly appreciated!