Share via

33008 - Entra/DC Sync

Daniel Gellard 0 Reputation points
2025-01-12T20:22:12.1466667+00:00

Hi All,

Recently, I set-up a link between Entra ID and a domain controller hosted via an azure VM.

Password has hash, writeback etc has been set-up and the sole purpose of this was to enable us to set more in depth password policies. Outside of the 365 limits.

All seemed to be working ok, did two test runs and then on the 3rd password reset across two users I'm seeing error 33008.

Logs on Entra suggest that the users are now allowed to reset/change password. However, I cannot see any limits on this from Entra ID or the domain controller password policies. There is no limit to how often they can be reset.

Just wanted to see if anyone else has come across this.

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Server | User experience | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Abiola Akinbade 29,490 Reputation points Volunteer Moderator
    2025-01-13T07:08:28.4+00:00

    Hello Daniel Gellard,

    Thanks for your question.

    This could be due to minimum age.

    If you have a minimum password age and have recently changed the password within that window of time, you're not able to change the password again until it reaches the specified age in your domain. For testing purposes, the minimum age should be set to 0.

    See: https://learn.microsoft.com/en-us/entra/identity/authentication/troubleshoot-sspr-writeback

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

    0 comments
  2. Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator
    2025-01-28T21:03:07.2633333+00:00

    Hi @Daniel Gellard

    When you use the password writeback service to change or reset a password, the service attempts to set the new password on your local directory. However, if the password you've selected doesn't meet the password age, history, complexity, or filtering requirements of your domain, then the operation fails, and you receive error code 33008.
    If you have password filters enabled and a user selects a password that doesn't meet the filtering criteria, then the reset or change operation fails.

    If you have set a minimum password age policy in your on-premises AD DS, users will not be able to change their password again until the specified age has passed. This is to prevent users from changing their password too frequently and potentially using weak passwords.

    For testing purposes, you can set the minimum password age policy to 0 to allow users to change their password immediately. However, it's important to note that this is not recommended for production environments as it can weaken the security of your system.

    You can change the minimum password age policy in the Group Policy Management Console (GPMC) on your domain controller. Once you have made the change, you can run a "gpupdate /force" command on the affected machines to apply the new policy.

    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    Thanks,

    Akhilesh v.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.