How can i resolve the password writeback issue with event ID 6329 & 33008?

sysadmin 21 Reputation points
2021-11-03T10:14:54.523+00:00

Issue:

When I tried to reset password from Azure portal for test user, I keep getting the following error.
"Unfortunately, you cannot reset this user's password because your on-premises policy does not allow it. Please review your on-premises policy to ensure that it is setup correctly."

When I do it from https://passwordreset.microsoftonline.com
I get similar error.

Event 6329 & 33008
146059-6329.png
146098-33008.png

background:

--------------

On-prem Ad password Policy ----looks ok
146097-password-policy.png

Azure AD - pass hash sync SSO -ok
146099-pass-hash-sso.png

On-prem user - user can not change password - disabled -----ok
146048-screenshot-2021-11-03-at-55948-pm.png

MSOL_XXXXX Account having reset password effective permission
146060-screenshot-2021-11-03-at-60341-pm.png

Azure AD password reset config select Group & The group contains the testing user ----ok
146134-ad-group-selected.png

Azure AD Connect installed on windows2016 server Password WriteBack configured----ok
146146-writeback-on.png

Azure AD Writeback password setting on-----ok
146066-on-prem-integ.png

Tried and rollback action

---------------------------

Tried Reset testing user password
Tried add MSOL_account to domain admin
Tried disable Writeback password on Azure AD Connect and enable Writeback setting.
Tried on azure AD connect change connect to different AD Server.

However, all fails.

How I can resolve the issue

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} votes

Accepted answer
  1. Gary Reynolds 9,621 Reputation points
    2021-11-03T11:04:15.247+00:00

    Hi,

    Did you try resetting the password of the users from a workstation connected to the domain?

    If this failed, I would check if you have any fine-grain-password policies assigned to the user, using the folllowing powershell command:

    Get-ADUserResultantPasswordPolicy -Identity <username>
    

    Also it worth checking what password policy is active at the domain level with the following command, in case the password policy is set in multiple GPOs:

    Get-ADDefaultDomainPasswordPolicy -identity <domain name>
    

    Gary.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. sysadmin 21 Reputation points
    2021-11-04T02:59:28.687+00:00

    Dear Sir

    Thank you for your help.

    After Get-ADDefaultDomainPasswordPolicy -identity <domain name>
    146376-password-policy.png

    It looks to me that the Domain Policy is not active. Your guess is correct.

    I forced the domain policy and it works

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.