Hello all,
I'm currently setting up a Proof Of Concept setup with directory synchronisation and password syncing to Office 365, leveraging AAD Premium for the password reset and password writeback to on premises AD functionality. Directory Sync + Password Sync is working flawlessly with the AADSync tool. However, upon requesting a password reset for a user, I'm hitting a password writeback error. The webpage states that the password does not meet the password complexity policy, while it does. I can set that particular password for that account at the on premises AD without any problem.
In the event viewer at the AADSync server, I'm seeing this Error pop up whenever I try to reset the password:
An unexpected error has occurred during a password set operation. "BAIL: MMS(4032): ..\server.cpp(11003): 0x80230619 (A restriction prevents the password from being changed to the current one specified.) Azure AD Sync 1.0.0475.1202"
My Setup:
- Windows Server 2012 AD with a single forest
- Seperate domain joined Windows Server 2012 for AADSync tool
- AADSync version 1.0.0475.1202 with options password sync, password writeback enabled
- Service account for AADSync tool with Replicating Directory Changes and Replicating Directory Changes All permissions on root AD forest structure with inheritance to all objects. This account also has the permissions to Change Password and Reset Password on all descendant User Objects.
- AAD Premium for my office 365 tenant
- AAD Premium licenses for the test users and the office 365 account used to sync to Office 365. This account is also Global Admin.
Could anyone help me with this? Is there something Im missing here? My guess is that the AAD is not trusted or the service account for AADSync tool does not have the proper permissions. Ive tried many options, like setting the AADSync Service account to Enterprise Admin or granting the service account Full Control over that particular user.
Other recent topics
