Share via

Trouble getting Azure Active Directory password writeback to onprem to work

Andy Emerine 61 Reputation points
2022-01-05T18:47:31.413+00:00

I'm using Windows 2019 servers. AD Connect is installed on a member server not the AD server. Password changes sync fine from the on prem AD server to Azure. I have enabled the permissions listed in this article: https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback for the account listed in the Connect application under "View current config". It's listed under "Synchronized Directories". Writeback does not work from Azure to the on prem AD.

The user has the following permissions.
Reset password
Write lockoutTime
Write pwdLastSet

Group policy Minimum password age is set to 0

Do I also need to delegate control to this user? Anything else?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. Andy David - MVP 160K Reputation points MVP Volunteer Moderator
    2022-01-05T18:50:53.19+00:00

    1 person found this answer helpful.
    0 comments

10 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 160K Reputation points MVP Volunteer Moderator
    2022-01-06T14:56:50.823+00:00
    0 comments
  2. Andy Emerine 61 Reputation points
    2022-01-06T14:51:40.1+00:00

    Event Viewer > Windows Logs > Application

    Error PasswordReset 33008
    TrackingId: 196a4fc0-101a-4dff-a419-094fd5a1c27d, Reason: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified., Context: cloudAnchor: User_c14e72c3-1b0b-4bd6-add3-d73494a51405, SourceAnchorValue: 2vZeyqwvoU6n5xUhis4jlQ==, UserPrincipalName: testuser@keyman .com, unblockUser: True, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified.
    at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
    at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount, Boolean isSelfServiceOperation)
    at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPassword(String passwordResetXmlRequestString, Boolean unlockUser)

    Error ADSync 6329
    An unexpected error has occurred during a password set operation.
    "WARNING: MMS(8408): ..\nscsimp.cpp(304): g_PrfData.AddInstance failed
    WARNING: MMS(8408): ..\nscsimp.cpp(399): g_PrfData.AddInstance failed
    ERR_: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
    ERR_: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
    ERR_: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
    BAIL: MMS(8408): C:__w\1\s\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
    BAIL: MMS(8408): admaexport.cpp(2934): 0x80230619 (A restriction prevents the password from being changed to the current one specified.)
    BAIL: MMS(8408): admaexport.cpp(3312): 0x80230619 (A restriction prevents the password from being changed to the current one specified.)
    ERR_: MMS(8408): ..\ma.cpp(8257): ExportPasswordSet failed with 0x80230619
    Azure AD Sync 2.0.89.0"

    0 comments
  3. Andy David - MVP 160K Reputation points MVP Volunteer Moderator
    2022-01-06T14:25:57.387+00:00

    Ok, I would give it a few a try again. Then look for any error messags on the AADConnect server.

    Elevated accounts would be any in an elevated group like Domain Admins etc... Password writeback wont work for those accounts.

    0 comments
  4. Andy Emerine 61 Reputation points
    2022-01-05T20:09:11.8+00:00

    I'm going through the troubleshooting guide. The section: Verify that Azure AD Connect has the required permissions, step 10 reset password does not have a checkmark. I went through the steps again here https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback to assign Reset password, Write permissions on lockoutTime, Write permissions on pwdLastSet but reset password still does not have a checkmark on step 10.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.