Share via

self-service password reset

Guillaume Mülhauser 0 Reputation points
2023-09-04T11:51:41.5366667+00:00

Hello,

I have this issue on client side when they change password with the self-service password :
Annotation 2023-09-04 135044

support code : 4647d979-a84e-4afa-9a53-8cc7e6da5a48

The password is changed, but we have that issue on client side.

On our Azure AD connect server in event viewers, I have :
User's image

ADSync :
An unexpected error has occurred during a password set operation. "ERR_: MMS(2748): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2 BAIL: MMS(2748): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2 BAIL: MMS(2748): C:_w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.) ERR: MMS(2748): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2 BAIL: MMS(2748): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2 BAIL: MMS(2748): C:_w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.) ERR: MMS(2748): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2 BAIL: MMS(2748): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2 BAIL: MMS(2748): C:_w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.) ERR: MMS(2748): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'PasswordChangeAccessCheckLegacy', 0x2 BAIL: MMS(2748): C:_w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2 BAIL: MMS(2748): C:_w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.) BAIL: MMS(2748): ..\session.cpp(934): 0x80230619 (A restriction prevents the password from being changed to the current one specified.): Password violation: Server Error 0x52d Ldap Error 0x35 BAIL: MMS(2748): ..\session.cpp(750): 0x80230619 (A restriction prevents the password from being changed to the current one specified.) BAIL: MMS(2748): admaexport.cpp(2852): 0x80230619 (A restriction prevents the password from being changed to the current one specified.) ERR: MMS(2748): admaexport.cpp(2859): Failed to set the password using LDAP password policy control. BAIL: MMS(2748): admaexport.cpp(3440): 0x80230619 (A restriction prevents the password from being changed to the current one specified.) ERR: MMS(2748): ..\ma.cpp(8256): ExportPasswordSet failed with 0x80230619 Azure AD Sync 2.2.1.0"

PasswordResetService

> TrackingId: dbf9f4c0-879e-4215-a85b-c96da0fe41c1, Reason: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified., Context: cloudAnchor: User_c9152546-6a0a-4958-83a7-ccc85b1008ca, SourceAnchorValue: 3d3VAfXlmEW7CzBpwKfceQ==, UserPrincipalName: ******@XXXX.com, unblockUser: True, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified.
>    at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
>    at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount, Boolean isSelfServiceOperation)
>    at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPassword(String passwordResetXmlRequestString, Boolean unlockUser)
> 
> 
> ```

I tried everything from this page :   
  
[https://learn.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback](https://learn.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback)  
  
Can you help me with this ? 

Thank you
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator
    2023-09-05T10:23:55.0333333+00:00

    Hello @Guillaume Mülhauser

    Thank you for reaching out. I have reviewed the event you have shared above. The message states: "A restriction prevents the password from being changed to the current one specified. Failed to set the password using LDAP password policy control."

    I would like to confirm that mostly this error pops-up when the user account in question is part of any protected groups or has any administrative privileges. You check this by validating the Admin Count attribute value on the user account. If this is set to 1 or is part of any protected groups then you would not be able to change/reset the password for user using SSPR. As per SSPR design, users with Admin Count value 1 or are part of any protected groups cannot reset/change their passwords using SSPR service. (Documentation Link: Troubleshoot self-service password reset writeback- Azure Active Directory - Microsoft Entra | Microsoft Learn)

    User's image

    I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.