Forum Discussion

vand3rlinden's avatar
vand3rlinden
Brass Contributor
Feb 10, 2022
Solved

Azure AD SSPR Password write back issue

Hi all,   A company I work for have issues with the reset password function with AD Connect.   In the SSPR audit logs in Azure AD, we face on 'Reset password (self-service)' the status reason 'On...
Authentication
Identity
On-Premises
  • vand3rlinden's avatar
    vand3rlinden
    Feb 18, 2022

    Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.

    For future readers:

    1: Open Local Security Policy, click Start, type secpol.msc
    2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
    3: Right-Click and Select Properties
    4: On the Template Security Policy Setting, Click Edit Security
    5: Under Group or user names, Click Add the AD DS connector account
    7: Leave everything default, and Click OK

     

     

    Thank you again for your knowledge and time.

BilalelHadd's avatar
BilalelHadd
Iron Contributor
Feb 17, 2022
Hi vand3rlinden,

Thanks for the heads-up. Please keep us posted. You've mentioned earlier that there were no changes within the environment, so it should be Microsoft that made a change, I assume.
vand3rlinden's avatar
vand3rlinden
Brass Contributor
Feb 18, 2022

Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.

For future readers:

1: Open Local Security Policy, click Start, type secpol.msc
2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
3: Right-Click and Select Properties
4: On the Template Security Policy Setting, Click Edit Security
5: Under Group or user names, Click Add the AD DS connector account
7: Leave everything default, and Click OK

 

 

Thank you again for your knowledge and time.

  • vand3rlinden's avatar
    vand3rlinden
    Brass Contributor
    Feb 23, 2022
    Thank you for sharing Jan and great that you have fix event ID 33001, will save your solution!

    For ID 33008, I updated my blog post as well. 33008 can have multiple solutions:

    https://vand3rlinden.nl/index.php/2020/07/03/fix-sspr-failure-reason-onpremisesadminactionrequired/
  • Jan Bakker's avatar
    Jan Bakker
    Iron Contributor
    Feb 23, 2022
    Lot's of password writeback issues since the last patches. I bumped into this one last week:

    https://janbakker.tech/kb-selfservicepasswordreset-write-back-problem-error-hr80230818/

Resources