Forum Discussion
Solved
Azure AD SSPR Password write back issue
Hi all, A company I work for have issues with the reset password function with AD Connect. In the SSPR audit logs in Azure AD, we face on 'Reset password (self-service)' the status reason 'On...
Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.
For future readers:
1: Open Local Security Policy, click Start, type secpol.msc
2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
3: Right-Click and Select Properties
4: On the Template Security Policy Setting, Click Edit Security
5: Under Group or user names, Click Add the AD DS connector account
7: Leave everything default, and Click OKThank you again for your knowledge and time.
Hi,
Thanks for the heads-up. Let us know what the Microsoft engineers states. Did you not harden the domain by implementing features or policies?
You might want to check this article: https://social.msdn.microsoft.com/Forums/en-US/6082daf5-2893-407b-b009-bc49464df984/aadsync-password-reset?forum=WindowsAzureAD
Thanks for the heads-up. Let us know what the Microsoft engineers states. Did you not harden the domain by implementing features or policies?
You might want to check this article: https://social.msdn.microsoft.com/Forums/en-US/6082daf5-2893-407b-b009-bc49464df984/aadsync-password-reset?forum=WindowsAzureAD
Hi BilalelHadd,
We are using fine-grained password policies (FGPP) in ADAC. The maximum age is setup to 90 days in that policy, and minimum is not set. But we did not change any settings there, so with the same settings as we still have in the FGPP in ADAC, SSPR (reset function) just worked fine all the time before 7/2/22.
Thanks for the article, our Minimum password age in the is Default Domain GPO is 0 and in the FGPP it is not set. Have a call again with another Microsoft Support engineer regarding this issue, I will share the outcome of that call in this post.
We are using fine-grained password policies (FGPP) in ADAC. The maximum age is setup to 90 days in that policy, and minimum is not set. But we did not change any settings there, so with the same settings as we still have in the FGPP in ADAC, SSPR (reset function) just worked fine all the time before 7/2/22.
Thanks for the article, our Minimum password age in the is Default Domain GPO is 0 and in the FGPP it is not set. Have a call again with another Microsoft Support engineer regarding this issue, I will share the outcome of that call in this post.