KnowledgeBase: You experience Errors with EventID 33007 and 33008 when people try to use Azure AD Self-service Password Reset

Reading Time: 3 minutes

Azure AD Connect

Azure AD Connect can configure a lot of the requirements it needs automatically. One of the things it can configure for you is the AD Connector account, the account that is used to read and write into Active Directory. However, Azure AD Connect also provides PowerShell cmdlets to configure and secure AD Connector accounts of an admin’s own choice.

Today, I’m sharing a story how the Microsoft recommended way to provision AD Connector accounts is flawed. This story has its origin in a swing migration.

The situation

You are implementing Azure AD Connect, but you do not want an MSOL_* user account created by the Azure Active Directory Connect Configuration Wizard in the Users container of your Active Directory environment.

Instead, after installing Azure AD Connect, you close the wizard to use the cmdlets in the ADSyncConfig PowerShell module to create a user account, provide the appropriate permissions and secure the account for its use as Azure AD Connect’s AD Connector account. For the latter two steps, you use the following lines of Windows PowerShell:

$useraccount = 'CN=AD Connector account,CN=users,DC=domain,DC=tld'

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1'

Set-ADSyncBasicReadPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncRestrictedPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncRestrictedPermissions -ADConnectorAccountDN $useraccount

Note:
You might also experience this behavior when you configure permissions for the AD Connector account manually.

When you continue the Azure Active Directory Connect Configuration Wizard, you select the Password Writeback feature on the Additional features page.

The issue

In the Application log of the Azure AD Connect server, you start seeing events with EventID 33007 and EventID 33008:

EventID 33007 with source PasswordResetService. Error h=8023061A

The error messages are:

Error hr=8023061A

The password given does not specify the user’s current password.

EventID 33008 with source PasswordResetService. Error h=80230619

The error messages are:

Error hr=80230619

A restriction prevents the password from being changed to the current one specified.

People in your organization would also notice that they are not able to use the self-service password reset functionality in Azure AD, although all settings in Azure AD and Azure AD Connect are correctly configured.

The cause

Azure AD Connect’s Set-ADSyncPasswordWritebackPermissions cmdlet does not provide the Change Password permission to the AD Connector account.

Note:
This behavior was observed with version 2.1.16.0 of Azure AD Connect.

Note:
The cmdlet does provide the Unexpire Password permission to the AD Connector account. This new permission was added as part of the permission set per Azure AD Connect version 2.1.15.0.

The solution

The solution is to add the Change Password permission at the root of all Active Directory domains in the Active Directory forest to Azure AD Connect’s AD Connector account(s). Perform these steps:

  • Open Active Directory Users and Computers (dsa.msc) as a member of the Domain Admins group of the Active Directory domain.
  • In the View menu, enable Advanced Features.
  • In the left navigation menu, right-click the domain name. Select Properties from the context menu. The domain’s Properties pop-up window appears.
  • In the domain’s Properties window, navigate to the Security tab.
  • Click Advanced.
  • Double-click the existing permission for Reset Password for the AD Connector account. The Permission Entry for ADConnectorAccount window appears:

ActiveDirectoryPermissionEntry

  • Select the Change Password permission too.
  • Click OK three times.
  • Close Active Directory Users and Computers.

Note:
The new permissions are added as separate permissions when you revisit the permissions in the Permission Entry window.

Concluding

The Set-ADSyncPasswordWritebackPermissions PowerShell cmdlet may not delegate the Active Directory Change Password permission.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.