Lately, I was facing error 7 Could not write changed password to AD. Error 0x80070032. in the Application Log at one of my servers. I’m aware that this critical event is often caused by insufficient rights for LAPS. But in this case, the server was not yet configured with LAPS. The OU where the server was located wasn’t configured for LAPS either. I had NOT run Set-AdmPwdComputerSelfPermission -OrgUnit “servers” yet.
In this post, I’ll show you the steps on how to fix event 7 AdmPwd for objects that don’t have LAPS installed and configured.
How to fix Could not write changed password to AD. Error 0x80070032.
To prevent error 7 Could not write changed password to AD. Error 0x80070032 from occurring approximately every 90 minutes, follow these steps:
- Start Active Directory Users and Computers (dsa.msc)
- In the main window, first enable Advanced Features
- Navigate to the Organizational Unit where the computer object is located
- Double-click the Computer Object. Go to tab Security
- Click Advanced
- Click Add. In the new windows named Permission Entry for <computer name>, click select a principal. Type SELF , click “check names” to validate and click OK
- Scroll down to “Write ms-Mcs-AdmPwd” and check the box. Finding this permission can be cumbersome if you have a lot of permissions on the list.
- Click OK to save the changes.
That’s it. The computer object now has permission to change its own password.
To validate the changes are effective, you should wait another 90 minutes and search for event 7, source AdmPwd, in the Application Log. You might be able to speed things up by running a group policy update (gpupdate /force), but I didn’t test this out. And since you probably have fixed the error with the above’s steps, you are not going to see error 0x80070032 appear again ;)
If this article did not help you solve your problem, please leave a comment! This website is visited thousands of times a day. There is a good chance that I or someone else has an answer to your question.