How can i resolve the password writeback issue with event ID 6329 & 33008?

sysadmin 21 Reputation points
2021-11-03T10:14:54.523+00:00

Issue:

When I tried to reset password from Azure portal for test user, I keep getting the following error.
"Unfortunately, you cannot reset this user's password because your on-premises policy does not allow it. Please review your on-premises policy to ensure that it is setup correctly."

When I do it from https://passwordreset.microsoftonline.com
I get similar error.

Event 6329 & 33008
146059-6329.png
146098-33008.png

background:

--------------

On-prem Ad password Policy ----looks ok
146097-password-policy.png

Azure AD - pass hash sync SSO -ok
146099-pass-hash-sso.png

On-prem user - user can not change password - disabled -----ok
146048-screenshot-2021-11-03-at-55948-pm.png

MSOL_XXXXX Account having reset password effective permission
146060-screenshot-2021-11-03-at-60341-pm.png

Azure AD password reset config select Group & The group contains the testing user ----ok
146134-ad-group-selected.png

Azure AD Connect installed on windows2016 server Password WriteBack configured----ok
146146-writeback-on.png

Azure AD Writeback password setting on-----ok
146066-on-prem-integ.png

Tried and rollback action

---------------------------

Tried Reset testing user password
Tried add MSOL_account to domain admin
Tried disable Writeback password on Azure AD Connect and enable Writeback setting.
Tried on azure AD connect change connect to different AD Server.

However, all fails.

How I can resolve the issue

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,639 questions
Azure Active Directory Domain Services
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,702 questions
Accepted answer
  1. Gary Reynolds 8,811 Reputation points
    2021-11-03T11:04:15.247+00:00

    Hi,

    Did you try resetting the password of the users from a workstation connected to the domain?

    If this failed, I would check if you have any fine-grain-password policies assigned to the user, using the folllowing powershell command: 

    Get-ADUserResultantPasswordPolicy -Identity <username>

    Also it worth checking what password policy is active at the domain level with the following command, in case the password policy is set in multiple GPOs: 

    Get-ADDefaultDomainPasswordPolicy -identity <domain name>

    Gary.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. sysadmin 21 Reputation points
    2021-11-04T02:59:28.687+00:00

    Dear Sir

    Thank you for your help.

    After Get-ADDefaultDomainPasswordPolicy -identity <domain name>
    146376-password-policy.png

    It looks to me that the Domain Policy is not active. Your guess is correct.

    I forced the domain policy and it works