Minimum Requirements for Windows Local Accounts

Due to a security issue (MS KB3178465), we do not allow Windows local accounts to change their own passwords unless the local admin account comes with the operating system. Other local admin accounts can also change their own passwords if the local security policy allows this. We recommend using the discovery privileged account to change these passwords. Each privileged account should meet the following requirements:

Must be a domain user
Must be a member of the local administrator group on all target end points

The discovery account for Secret Server can also be used for RPC.

To use RPC, a specific registry setting is required:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: LocalAccountTokenFilterPolicy = 1

This setting is required to bypass Remote UAC restrictions.