Password reset The password could not be updated because the management agent credentials were denied access

lalajee 1,366 Reputation points
2023-01-03T16:34:52.627+00:00

Hi,

We have removed adfs and replace it with Pass-through authentication (3 agent running)

Now I can reset password for any users who have access to reset the password

I try to reset password I get following error
275735-image.png

Event log show following error on agent

TrackingId: xx, Reason: Synchronization Engine returned an error hr=80230626, message=The password could not be updated because the management agent credentials were denied access., Context: cloudAnchor: User_xxxxx, SourceAnchorValue: xxxx==, UserPrincipalName: UserName@domian.co.uk, unblockUser: True, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230626, message=The password could not be updated because the management agent credentials were denied access.  
   at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)  
   at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount, Boolean isSelfServiceOperation)  
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPassword(String passwordResetXmlRequestString, Boolean unlockUser)  

I have run following command on azure ad connect server

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName MSOL_xxxx
-ADConnectorAccountDomain "domain.co.uk" `
-Confirm:$false

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,736 questions
No comments
{count} votes

Accepted answer
  1. Marshaljs 26,816 Reputation points
    2023-01-03T16:39:31.45+00:00

    Hi,

    It seems the account does not have Password reset permissions can you check the MSOL account has been provided access?

    Azure AD Connect to perform password writeback, the AD DS account must have reset password permission. You check the permissions on this user account in the following steps.

    Also check this article - troubleshoot-sspr-writeback
    Finding the synchronization service Active Directory user account

    Hope this helps.
    JS

    ==
    Please Accept the answer if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful