When an onpremis user in your environment cannot change his password and you see in the SSPR audit logs OnPremisesAdminActionRequired as failure
Open the EventViewer in the AAD Connect server, you will see an error of the event with; “message=A restriction prevents the password from being changed to the current one specified” on source PasswordResetService. To solve this, we need to check if your AD DS connector account match the one in AD and has access to write on your AD objects.
- Step 1:
- Go to Synchronization Service Manager
- Select “yourdomain”
- Click on properties
- Connect to Active Directory Forest
- Note the user name here, this is the AD DS connector account.
- Step 2:
- Go to Active Directory
- Open the user’s properties
- Jump to the security tab
- Check if the AD DS connector account is matching as the one you noted in step 1 and has write access on the user
- If not, hit “advanced” in the security tab, check if inheritance is enabled
- Compare it to another user in the same OU
If all the onpremis users have this issue when they try to reset there password, please check the AD DS connector account in the domain properties in AD (top level) under the security tab.
If you get the same error on a cloud only user, that is because Password Writeback is enabled and the source will go to AD instead of AAD.