Share via

Microsoft SSPR and Computer Object hash

Steve Powers 21 Reputation points
2020-12-18T09:59:50.287+00:00

I am in a Hybrid AD environment with 75% of my users at remote sites and they are using VPN to connect to shared file servers and to reset their log on passwords. If I enable Microsoft SSPR in the Azure environment and the user enables it for their profile, and then they reset their password with SSPR when they are off of the domain totally, without being connected to VPN, will their computer hash be updated when the AD Connect writeback sync completes, or will the computer still be associating the user with the former password, and as a result, when they are off of the domain they can connect to their machine, but once they are back on the domain, they are unable to connect because the hash did not sync? If this occurs would they get a trust error message? If they do get a trust issue, are they able to log into their computer with the old credential, join with the VPN, and then reset the credential using their new password? Or does SSPR work in such away that it sync both the user and the computer object, just like they were on the domain?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,256 Reputation points Microsoft Employee
    2020-12-21T13:16:24.437+00:00

    @Steve Powers In a way SSPR is not a machine aware thing. It's a pure user based password reset mechanism and it does work when the user is outside of domain.

    So no requirement of VPN connectivity device would be still associating user to old password
    once the device connect to VPN, then only the user would be allowed with new password and trust between ADDS and device doesn't break.

    0 comments