Today, I implemented Password Writeback, and the article only had two permissions set for it. In testing, I found users received an error, but their password was still being reset correctly.
In the AADSync Event log, I noticed there was two failures followed by a success. The error looked like this:
An unexpected error has occurred during a password set operation.
"ERR_: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(3188): D:\bt\40256\sources\dev\Sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(3188): ..\session.cpp(2114): Asynchronous modify result (dn=
WARNING: MMS(3188): ..\session.cpp(2115): Asynchronous modify result (dn=
BAIL: MMS(3188): ..\session.cpp(2121): 0x80070005 (Access is denied.)
ERR_: MMS(3188): admaexport.cpp(4253): The password change operation failed: ERR_: MMS(3188): admaexport.cpp(4259): Insufficient Rights 0x32
BAIL: MMS(3188): admaexport.cpp(3516): 0x80004005 (Unspecified error)
ERR_: MMS(3188): ..\ma.cpp(8322): ExportPasswordSet failed with 0x80004005
Azure AD Sync 1.0.0494.0501"
This turned up a good TechNet forum post where someone highlighted the exact issue. According to the TechNet article, two additional permissions are required. I have documented these below, and have commented on the source article to add them (and added the powershell to technet) - hopefully more people can find the help they need now.
So for password writeback, two additional invocations of DSACLS are required:
$DN = "DC=domain,DC=com"
$Account = "domain\aadsync"
$cmd = "dsacls '$DN' /I:S /G '`"$Account`":CA;`"Reset Password`";user'"
Invoke-Expression $cmd
$cmd = "dsacls '$DN' /I:S /G '`"$Account`":CA;`"Change Password`";user'"
Invoke-Expression $cmd
$cmd = "dsacls '$DN' /I:S /G '`"$Account`":WP;pwdLastSet;user'"
Invoke-Expression $cmd
$cmd = "dsacls '$DN' /I:S /G '`"$Account`":WP;lockoutTime;user'"
Invoke-Expression $cmd
To check that the permissions are set:
dsacls “\\dc1.domain.com\DC=domain,DC=com” | findstr serviceaccountname
You should see something similar to this:
No comments:
Post a Comment