![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 18%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOO%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
6,431 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Azure AD Connect lets you synchronize users, groups, and credential between an on-premises AD DS environment and Azure AD. You typically install Azure AD Connect on a Windows Server 2012 or later computer that's joined to the on-premises AD DS domain.
To correctly work with SSPR writeback, the account specified in Azure AD Connect must have the appropriate permissions and options set. If you're not sure which account is currently in use, open Azure AD Connect and select the View current configuration option. The account that you need to add permissions to is listed under Synchronized Directories. The following permissions and options must be set on the account:
Reset password
Write permissions on lockoutTime
Write permissions on pwdLastSet
Extended rights for "Unexpire Password" on the root object of each domain in that forest, if not already set.
If you don't assign these permissions, writeback may appear to be configured correctly, but users encounter errors when they manage their on-premises passwords from the cloud. Permissions must be applied to This object and all descendant objects for "Unexpire Password" to appear.
Tip
If passwords for some user accounts aren't written back to the on-premises directory, make sure that inheritance isn't disabled for the account in the on-prem AD DS environment. Write permissions for passwords must be applied to descendant objects for the feature to work correctly.
To set up the appropriate permissions for password writeback to occur, complete the following steps:
In your on-premises AD DS environment, open Active Directory Users and Computers with an account that has the appropriate domain administrator permissions.
From the View menu, make sure that Advanced features are turned on.
In the left panel, right-select the object that represents the root of the domain and select Properties > Security > Advanced.
From the Permissions tab, select Add.
For Principal, select the account that permissions should be applied to (the account used by Azure AD Connect).
In the Applies to drop-down list, select Descendant User objects.
Under Permissions, select the box for the following option:
Reset password
Under Properties, select the boxes for the following options. Scroll through the list to find these options, which may already be set by default:
Write lockoutTime
Write pwdLastSet
When ready, select Apply / OK to apply the changes and exit any open dialog boxes.
When you update permissions, it might take up to an hour or more for these permissions to replicate to all the objects in your directory.
Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. For password writeback to work most efficiently, the group policy for Minimum password age must be set to 0. This setting can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies within gpedit.msc.
If you update the group policy, wait for the updated policy to replicate, or use the gpupdate /force command.
