Forum Discussion
Azure AD SSPR Password write back issue
Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.
For future readers:
1: Open Local Security Policy, click Start, type secpol.msc
2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
3: Right-Click and Select Properties
4: On the Template Security Policy Setting, Click Edit Security
5: Under Group or user names, Click Add the AD DS connector account
7: Leave everything default, and Click OKThank you again for your knowledge and time.
We are using fine-grained password policies (FGPP) in ADAC. The maximum age is setup to 90 days in that policy, and minimum is not set. But we did not change any settings there, so with the same settings as we still have in the FGPP in ADAC, SSPR (reset function) just worked fine all the time before 7/2/22.
Thanks for the article, our Minimum password age in the is Default Domain GPO is 0 and in the FGPP it is not set. Have a call again with another Microsoft Support engineer regarding this issue, I will share the outcome of that call in this post.
Hi Bilal, had a call yesterday with Microsoft regarding the issue. Microsoft told me to check the “Network access: Restrict clients allowed to make remote calls to SAM” GPO. However this GPO is not defined on both Domain or Domain Controller GPO policies. But the reg key ‘RestrictRemoteSam’ that is tied to that GPO setting, is listed in the DC's that talks with AD connect, this interesting. I propose a change to delete the REG key on 1 domain controller first and let AD Connect talk with that DC only that has not the REG key ‘RestrictRemoteSam’.
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls
But it remains strange that the SSPR reset function has suddenly stopped since Monday 7/2/22, but this is an interesting progression.
Will update this post ASAP.
- Thank you for sharing Jan and great that you have fix event ID 33001, will save your solution!
For ID 33008, I updated my blog post as well. 33008 can have multiple solutions:
https://vand3rlinden.nl/index.php/2020/07/03/fix-sspr-failure-reason-onpremisesadminactionrequired/ - Lot's of password writeback issues since the last patches. I bumped into this one last week:
https://janbakker.tech/kb-selfservicepasswordreset-write-back-problem-error-hr80230818/ Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.
For future readers:
1: Open Local Security Policy, click Start, type secpol.msc
2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
3: Right-Click and Select Properties
4: On the Template Security Policy Setting, Click Edit Security
5: Under Group or user names, Click Add the AD DS connector account
7: Leave everything default, and Click OKThank you again for your knowledge and time.
- Hi vand3rlinden,
Thanks for the heads-up. Please keep us posted. You've mentioned earlier that there were no changes within the environment, so it should be Microsoft that made a change, I assume.
