How can i resolve the password writeback issue with event ID 6329 & 33008?

sysadmin 21 Reputation points


When I tried to reset password from Azure portal for test user, I keep getting the following error.
"Unfortunately, you cannot reset this user's password because your on-premises policy does not allow it. Please review your on-premises policy to ensure that it is setup correctly."

When I do it from
I get similar error.

Event 6329 & 33008



On-prem Ad password Policy ----looks ok

Azure AD - pass hash sync SSO -ok

On-prem user - user can not change password - disabled -----ok

MSOL_XXXXX Account having reset password effective permission

Azure AD password reset config select Group & The group contains the testing user ----ok

Azure AD Connect installed on windows2016 server Password WriteBack configured----ok

Azure AD Writeback password setting on-----ok

Tried and rollback action


Tried Reset testing user password
Tried add MSOL_account to domain admin
Tried disable Writeback password on Azure AD Connect and enable Writeback setting.
Tried on azure AD connect change connect to different AD Server.

However, all fails.

How I can resolve the issue

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,639 questions
Azure Active Directory Domain Services
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,702 questions
No comments
{count} votes

Accepted answer
  1. Gary Reynolds 8,811 Reputation points


    Did you try resetting the password of the users from a workstation connected to the domain?

    If this failed, I would check if you have any fine-grain-password policies assigned to the user, using the folllowing powershell command:

    Get-ADUserResultantPasswordPolicy -Identity <username>

    Also it worth checking what password policy is active at the domain level with the following command, in case the password policy is set in multiple GPOs:

    Get-ADDefaultDomainPasswordPolicy -identity <domain name>


    No comments

1 additional answer

Sort by: Most helpful
  1. sysadmin 21 Reputation points

    Dear Sir

    Thank you for your help.

    After Get-ADDefaultDomainPasswordPolicy -identity <domain name>

    It looks to me that the Domain Policy is not active. Your guess is correct.

    I forced the domain policy and it works

    No comments