Have you gone through the troubleshooting guide?
https://learn.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback
Trouble getting Azure Active Directory password writeback to onprem to work
I'm using Windows 2019 servers. AD Connect is installed on a member server not the AD server. Password changes sync fine from the on prem AD server to Azure. I have enabled the permissions listed in this article: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback for the account listed in the Connect application under "View current config". It's listed under "Synchronized Directories". Writeback does not work from Azure to the on prem AD.
The user has the following permissions.
Reset password
Write lockoutTime
Write pwdLastSet
Group policy Minimum password age is set to 0
Do I also need to delegate control to this user? Anything else?
-
Andy David - MVP 147.9K Reputation points MVP
2022-01-05T18:50:53.19+00:00
10 additional answers
Sort by: Most helpful
-
Andy Emerine 61 Reputation points
2022-01-05T20:09:11.8+00:00 I'm going through the troubleshooting guide. The section: Verify that Azure AD Connect has the required permissions, step 10 reset password does not have a checkmark. I went through the steps again here https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback to assign Reset password, Write permissions on lockoutTime, Write permissions on pwdLastSet but reset password still does not have a checkmark on step 10.
-
Andy David - MVP 147.9K Reputation points MVP
2022-01-06T14:25:57.387+00:00 Ok, I would give it a few a try again. Then look for any error messags on the AADConnect server.
Elevated accounts would be any in an elevated group like Domain Admins etc... Password writeback wont work for those accounts.
-
Andy Emerine 61 Reputation points
2022-01-06T14:51:40.1+00:00 Event Viewer > Windows Logs > Application
Error PasswordReset 33008
TrackingId: 196a4fc0-101a-4dff-a419-094fd5a1c27d, Reason: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified., Context: cloudAnchor: User_c14e72c3-1b0b-4bd6-add3-d73494a51405, SourceAnchorValue: 2vZeyqwvoU6n5xUhis4jlQ==, UserPrincipalName: testuser@keyman .com, unblockUser: True, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified.
at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount, Boolean isSelfServiceOperation)
at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPassword(String passwordResetXmlRequestString, Boolean unlockUser)Error ADSync 6329
An unexpected error has occurred during a password set operation.
"WARNING: MMS(8408): ..\nscsimp.cpp(304): g_PrfData.AddInstance failed
WARNING: MMS(8408): ..\nscsimp.cpp(399): g_PrfData.AddInstance failed
ERR_: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
BAIL: MMS(8408): admaexport.cpp(2934): 0x80230619 (A restriction prevents the password from being changed to the current one specified.)
BAIL: MMS(8408): admaexport.cpp(3312): 0x80230619 (A restriction prevents the password from being changed to the current one specified.)
ERR_: MMS(8408): ..\ma.cpp(8257): ExportPasswordSet failed with 0x80230619
Azure AD Sync 2.0.89.0" -
Andy David - MVP 147.9K Reputation points MVP
2022-01-06T14:56:50.823+00:00