Fix: SSPR failure reason OnPremisesAdminActionRequired

When an onpremis user in your environment cannot change his password and you see in the SSPR audit logs OnPremisesAdminActionRequired or ADAdminActionRequired as failure


Cause

Open the EventViewer in the AAD Connect server, you will see an error of the event with ID 33008; “hr=80230626, message=The password could not be updated because the management agent credentials were denied access”¬†on source PasswordResetService. In this post I will explain three possible solutions for this error. I face this error many times, and is always regarding 1 of this solution.

Possible solution 1:

Obtain the AD DS connector account and check the permissions of this account in AD, by following this steps:

  1. Open the object that face the SSPR issue in AD
  2. Go to the security tab and click Advanced
  3. Check if inheritance permissions is turned on
  4. Go to the Effective Access tab and choose Select a user
  5. Select the AD DS Connector account and click on View effective access
  6. Scroll down and look for Reset password, If the entry has a check mark, the AD DS account has permission to reset the password of the selected Active Directory user account.

If the AD DS connector don’t have the permission the reset the password, then follow this steps:

  1. Open AD Connect
  2. Troubleshoot
  3. Select option 12 – Set default AD Connector account permissions
    1. You can also select option 8 – Set password writeback permissions

When the AD DS connector account has the reset permissions on the object, do a full sync and try again.

Possible solution 2:

  1. Check if an infected account has a value on the adminCount attribute in Active Directory.
  2. Check if an infected account has ‘password never expires’ or ‘user cannot change password’ configured.

Possible solution 3:

Check if there is a GPO or local GPO on the domain controller with the setting: Network access: Restrict clients allowed to make remote calls to SAM

You could first check if the domain controller has the regkey RestrictRemoteSam configured in HLM\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam if yes, follow the following steps:

  1. Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> “Network access: Restrict clients allowed to make remote calls to SAM”.
  2. Select “Edit Security” to configure the “Security descriptor:”
  3. Add the AD DS connector account
  4. Select “Allow” for “Remote Access” in “Permissions for “Administrators”
  5. Apply, reboot is not required
  6. Do this on all domain controllers

Wait 5 minutes and SSPR will functioning again.

Cloud only users

If you get the same error on a cloud only user, that is because Password Writeback is enabled and the source will go to AD instead of AAD.


Share this: