Trouble getting Azure Active Directory password writeback to onprem to work

Andy Emerine 61 Reputation points
2022-01-05T18:47:31.413+00:00

I'm using Windows 2019 servers. AD Connect is installed on a member server not the AD server. Password changes sync fine from the on prem AD server to Azure. I have enabled the permissions listed in this article: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback for the account listed in the Connect application under "View current config". It's listed under "Synchronized Directories". Writeback does not work from Azure to the on prem AD.

The user has the following permissions.
Reset password
Write lockoutTime
Write pwdLastSet

Group policy Minimum password age is set to 0

Do I also need to delegate control to this user? Anything else?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,536 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,755 questions
{count} votes

10 additional answers

Sort by: Most helpful
  1. Andy Emerine 61 Reputation points
    2022-01-05T20:09:11.8+00:00

    I'm going through the troubleshooting guide. The section: Verify that Azure AD Connect has the required permissions, step 10 reset password does not have a checkmark. I went through the steps again here https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback to assign Reset password, Write permissions on lockoutTime, Write permissions on pwdLastSet but reset password still does not have a checkmark on step 10.


  2. Andy David - MVP 147.9K Reputation points MVP
    2022-01-06T14:25:57.387+00:00

    Ok, I would give it a few a try again. Then look for any error messags on the AADConnect server.

    Elevated accounts would be any in an elevated group like Domain Admins etc... Password writeback wont work for those accounts.

    0 comments No comments

  3. Andy Emerine 61 Reputation points
    2022-01-06T14:51:40.1+00:00

    Event Viewer > Windows Logs > Application

    Error PasswordReset 33008
    TrackingId: 196a4fc0-101a-4dff-a419-094fd5a1c27d, Reason: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified., Context: cloudAnchor: User_c14e72c3-1b0b-4bd6-add3-d73494a51405, SourceAnchorValue: 2vZeyqwvoU6n5xUhis4jlQ==, UserPrincipalName: testuser@keyman .com, unblockUser: True, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified.
    at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
    at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount, Boolean isSelfServiceOperation)
    at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPassword(String passwordResetXmlRequestString, Boolean unlockUser)

    Error ADSync 6329
    An unexpected error has occurred during a password set operation.
    "WARNING: MMS(8408): ..\nscsimp.cpp(304): g_PrfData.AddInstance failed
    WARNING: MMS(8408): ..\nscsimp.cpp(399): g_PrfData.AddInstance failed
    ERR_: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
    ERR_: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
    ERR_: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
    BAIL: MMS(8408): admaexport.cpp(2934): 0x80230619 (A restriction prevents the password from being changed to the current one specified.)
    BAIL: MMS(8408): admaexport.cpp(3312): 0x80230619 (A restriction prevents the password from being changed to the current one specified.)
    ERR_: MMS(8408): ..\ma.cpp(8257): ExportPasswordSet failed with 0x80230619
    Azure AD Sync 2.0.89.0"

    0 comments No comments

  4. Andy David - MVP 147.9K Reputation points MVP
    2022-01-06T14:56:50.823+00:00
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.