When an onpremis user in your environment cannot change his password and you see in the SSPR audit logs OnPremisesAdminActionRequired as failure
Open the EventViewer in the AAD Connect server, you will see an error of the event with; “message=A restriction prevents the password from being changed to the current one specified” on source PasswordResetService. To solve this, we need to check if your AD DS connector account match the one in AD and has access to write on your AD objects.
Fix for one user
- Step 1:
- Go to Synchronization Service Manager
- Select “yourdomain”
- Click on properties
- Connect to Active Directory Forest
- Note the username here, this is the AD DS connector account.
- The username is something like MSOL_XXXXXxxxXXXxx
- Step 2:
- Go to Active Directory
- Open the user’s properties
- Jump to the security tab
- Check if the AD DS connector account is matching as the one you noted in step 1 and has write access on the user.
- If not, hit “advanced” in the security tab, check if inheritance is enabled from top level or add the MSOL_ account manually.
Fix for all users
If all the onpremis users facing OnPremisesAdminActionRequired when they try to reset there password, please check the AD DS connector account in the domain properties in AD (top level) under the security tab or check the OU inheritance if only users from a particular OU has this issue.
Cloud only users
If you get the same error on a cloud only user, that is because Password Writeback is enabled and the source will go to AD instead of AAD.