Forum Discussion
Azure AD SSPR Password write back issue
Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.
For future readers:
1: Open Local Security Policy, click Start, type secpol.msc
2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
3: Right-Click and Select Properties
4: On the Template Security Policy Setting, Click Edit Security
5: Under Group or user names, Click Add the AD DS connector account
7: Leave everything default, and Click OKThank you again for your knowledge and time.
Do you experience this issue with one user or with all the users? Some things that you possibly can check:
- Did you enable inheritance for the AD account(s)
- Did you enable Password writeback in the Azure AD Connect configuration?
- Did you enable SSPR in the Azure AD Portal?
- Do you have a valid Azure AD Premium license?
Let me know!
Hi BilalelHadd, thank you for the response!
- Did you enable inheritance for the AD account(s)
-- Yes, did check this also. The AD DS connector account has all the rights:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback#verify-that-azure-ad-connect-has-the-required-permissions
- Did you enable Password writeback in the Azure AD Connect configuration?
Yes
- Did you enable SSPR in the Azure AD Portal?
Yes
- Do you have a valid Azure AD Premium license?
Yes
It just stopped working since (2/7/22) Monday this week, and only for action 'Reset password (self-service)'.
'Change password (self-service)', works like it supposed to be. So users can change password via account settings in de M365 user portal. But cannot reset it on passwordreset.microsoftonline.com. Both used the OnPremisesAgent ->> AADConnect .
- Hi vand3rlinden,
Thanks for the answer. Do you know that there is a difference between AD DS connect permissions and inheritance permissions? If so, then I assume that the user object rights are configured correctly. Do you have a screenshot of the current Domain Policy where the password policy is stated?Thanks for trouble shooting with me!
* Do you know that there is a difference between AD DS connect permissions and inheritance permissions? If so, then I assume that the user object rights are configured correctly.
Yes, please check below screenshot
inheritance-enabled.png
Inheritance = enabled and MSOL_xxxx have all the right to reset password on object.* Do you have a screenshot of the current Domain Policy where the password policy is stated?
- Hi vand3rlinden,
No problem! We are here to help.
In regards to your password policy, this is configured correctly. The event id 33004 is related to credentials. I am pretty sure that your issue is related to the service accounts permissions. If you are stating that the permissions are configured correctly, I would like to ask you to run the below commands on the Service Account(s):
Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>
Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>
Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>
Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>
More information about running these commands and the module can be found here:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account
Let me know what happens when a user tries to reset his password after running the commands.
