Password writeback unrecoverable issue with account configuration error

Last week, one of our clients encountered the error below when performing password change.

“We’re sorry, but we cannot change your password at this time. Unfortunately, this is due to unrecoverable issue with your account configuration, so trying again won’t work.

Please contact your admin to change your password for you.”

Figure 1: Error when performing password change

Their accounts are synchronized from on-prem AD to AAD via AD Connect and for the password change to work, password writeback is enabled from AD Connect.

Troubleshooting steps done with no luck:

  1. Ensured AD Connect is in the latest version
  2. Ensured that the sync account (automatically created during install and starts with MSOL_ however you can also define another account for this) has correct permissions to AD, it would need password reset and change
  3. Disabled and enabled password writeback
  4. Disabled and enabled password hash
  5. Disabled and enabled 1 and 2 at the same time
  6. Uninstalled and installed AD Connect
  7. Uninstalled AD Connect, cleanup install location and installed AD Connect

After doing all the steps above, I can’t think of anything else to do. My mind just keeps on going back to the sync account.. it should have permission.. it should have permission.. until I’ve decided to do item 7 again and delete the sync account together with cleaning up the install location. And voila! Issue resolved.

Here’s an outline of the steps done to resolve the issue: This requires deletion of install location and registry so ensure that you have a backup.

  1. Uninstalled Microsoft Azure AD Connect, this includes Sync Service and Databases.
  2. Deleted AADConnect folder in C:\ProgramData.
  3. Deleted the following folders in C:\Program Files. These folders should be automatically deleted once AD Connect has been successfully uninstalled. However there are instances where some folders just don’t do what they’re told.
    • Microsoft Azure Active Directory Connect
    • Microsoft Azure AD Connect Health Sync Agent
    • Microsoft Azure AD Sync
  4. Deleted lingering registry entries.
    • [HKCU]\SOFTWARE\Microsoft\Azure AD Connect
    • [HKLM]\SOFTWARE\Microsoft\Azure AD Connect
  5. Deleted sync account from AD. To find out what the account is, open synchronization service, navigate to connectors and open properties for ADDS. See figure 2.
  6. Restarted server.
  7. Reinstalled AD Connect.
  8. Enabled Password writeback.
Figure 2: Where to find service account used to run the ADDS connector

There you go! Hope this helps someone, somewhere out there!

Oh! And welcome to my first blog post! 🙂