question

sysadmin-8432 avatar image
0 Votes"
sysadmin-8432 asked sysadmin-8432 answered

How can i resolve the password writeback issue with event ID 6329 & 33008?

Issue:

When I tried to reset password from Azure portal for test user, I keep getting the following error.
"Unfortunately, you cannot reset this user's password because your on-premises policy does not allow it. Please review your on-premises policy to ensure that it is setup correctly."

When I do it from https://passwordreset.microsoftonline.com
I get similar error.

Event 6329 & 33008
146059-6329.png
146098-33008.png


background:


On-prem Ad password Policy ----looks ok
146097-password-policy.png

Azure AD - pass hash sync SSO -ok
146099-pass-hash-sso.png

On-prem user - user can not change password - disabled -----ok
146048-screenshot-2021-11-03-at-55948-pm.png

MSOL_XXXXX Account having reset password effective permission
146060-screenshot-2021-11-03-at-60341-pm.png

Azure AD password reset config select Group & The group contains the testing user ----ok
146134-ad-group-selected.png

Azure AD Connect installed on windows2016 server Password WriteBack configured----ok
146146-writeback-on.png

Azure AD Writeback password setting on-----ok
146066-on-prem-integ.png


Tried and rollback action


Tried Reset testing user password
Tried add MSOL_account to domain admin
Tried disable Writeback password on Azure AD Connect and enable Writeback setting.
Tried on azure AD connect change connect to different AD Server.

However, all fails.

How I can resolve the issue



windows-active-directoryazure-ad-connectazure-ad-domain-servicesazure-ad-password-hash-sync
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi,

Did you try resetting the password of the users from a workstation connected to the domain?

If this failed, I would check if you have any fine-grain-password policies assigned to the user, using the folllowing powershell command:

 Get-ADUserResultantPasswordPolicy -Identity <username>

Also it worth checking what password policy is active at the domain level with the following command, in case the password policy is set in multiple GPOs:

 Get-ADDefaultDomainPasswordPolicy -identity <domain name>

Gary.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sysadmin-8432 avatar image
0 Votes"
sysadmin-8432 answered

Dear Sir

Thank you for your help.

After Get-ADDefaultDomainPasswordPolicy -identity <domain name>
146376-password-policy.png

It looks to me that the Domain Policy is not active. Your guess is correct.

I forced the domain policy and it works



password-policy.png (972.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.