When you configure the Azure AD Premium Self Service Password Reset solution on your Azure AD tenant and then the Azure AD Connect Password Writeback feature, you will need to add permissions in your local Active Directory that permits the Azure AD Connect account to actually change and reset passwords for your users , as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-getting-started#step-4-set-up-the-appropriate-active-directory-permissions.
I wrote this PowerShell script that helps you configure this correctly in your domain/forest. Some notes:
- You can use it in a single-domain, single-forest domain, or in a multi-domain forest, just remember to specify a Domain Controller for the wanted domain, and for the domain the Azure AD Connect account is in.
- You have to find the Azure AD Connect Synchronization account, it would be MSOL_xxxx.. if you have used Express settings, or a dedicated account. Look at current configuration for details.
- You can specify an OU for your users, and if inheritance is enabled all subordinate users and OUs will inherit the permissions. If not, please run the script once for each OU you want the permissions to be applied for.
Here is the script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Description: Sets Azure AD Connect Password Write Back AD Permissions | |
| # Created by: Jan Vidar Elven, Enterprise Mobility MVP, Skill AS | |
| # Last Modified: 01.06.2016 | |
| # Run this on-premises for your domain/forest | |
| Import-Module ActiveDirectory | |
| #region Initial Parameters/Variables | |
| # Domain Controller in wanted domain, leave blank if using current domain | |
| $dcserver = "mydc.domain.local" | |
| # Azure AD Connect Synchronization Account | |
| $aadcaccount = "MSOL_xxxxx" | |
| # Azure AD Connect Account Domain Controller | |
| $aadcserver = "mydc.domain.local" | |
| # Organizational Unit Distinguished Name, starting point for delegation | |
| $oudn = "OU=<UsersOU>,DC=domain,DC=local" | |
| #endregion | |
| # Check if default current domain or specified domain should be used | |
| If ($dcserver -eq $null) { | |
| # Get a reference to the RootDSE of the current domain | |
| $rootdse = Get-ADRootDSE | |
| # Get a reference to the current domain | |
| $domain = Get-ADDomain | |
| } | |
| Else { | |
| # Get a reference to the RootDSE of the domain for the specified server | |
| $rootdse = Get-ADRootDSE -Server $dcserver | |
| # Get a reference to the domain for the specified server | |
| $domain = Get-ADDomain -Server $dcserver | |
| } | |
| # Refer to my Active Directory, either current or specified server from above | |
| New-PSDrive -Name "myAD" -Root "" -PsProvider ActiveDirectory -Server $rootdse.dnsHostName | |
| # Change to My Active Directory Command Prompt | |
| cd myAD: | |
| # Create a hashtable to store the GUID value of each schema class and attribute | |
| $guidmap = @{} | |
| Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter ` | |
| "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID | | |
| % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID} | |
| # Create a hashtable to store the GUID value of each extended right in the forest | |
| $extendedrightsmap = @{} | |
| Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter ` | |
| "(&(objectclass=controlAccessRight)(rightsguid=*))" -Properties displayName,rightsGuid | | |
| % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid} | |
| # Get a reference to the OU we want to delegate | |
| $ou = Get-ADOrganizationalUnit -Identity $oudn | |
| # Get the SID value of the Azure AD Connect Sync Account we wish to delegate access to | |
| $a = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $aadcaccount -Server $aadcserver).SID | |
| # Get a copy of the current DACL on the OU | |
| $acl = Get-ACL -Path ($ou.DistinguishedName) | |
| # Create an Access Control Entry for new permission we wish to add | |
| # Allow the Azure AD Account to reset passwords on all descendent user objects | |
| $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
| $a,"ExtendedRight","Allow",$extendedrightsmap["Reset Password"],"Descendents",$guidmap["user"])) | |
| # Allow the Azure AD Account to change passwords on all descendent user objects | |
| $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
| $a,"ExtendedRight","Allow",$extendedrightsmap["Change Password"],"Descendents",$guidmap["user"])) | |
| # Allow the Azure AD Account to write lockoutTime extended property | |
| $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
| $a,"WriteProperty","Allow",$guidmap["lockoutTime"],"Descendents",$guidmap["user"])) | |
| # Allow the Azure AD Account to write pwdLastSet extended property | |
| $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` | |
| $a,"WriteProperty","Allow",$guidmap["pwdLastSet"],"Descendents",$guidmap["user"])) | |
| # Re-apply the modified DACL to the OU | |
| Set-ACL -ACLObject $acl -Path ("myAD:\"+($ou.DistinguishedName)) |
Hope the script will be helpful!
GoToGuy Blog 
awesome script saved me sore eyes scrolling through the permissions in the gui