We're investigating the AD password change and AD password unlock feature within Okta to help users unlock their accounts and/or change their password when their account is locked.
Can someone explain how the user accomplishes this if they lock their account and don't know their current AD password? What happens if the user doesnt have access to a 2nd machine and can't get into their laptop? I would love to hear what people are doing in real workd scenarios.
Raja - we tried that but the only option we have is to choose Forgot Password. However, if the user can't access their email b/c the account is locked out or they don't kow their password to get into the email then how can they retieve the password reset link?
Raja - i'll need to contact support. If we click Forgot Password and enter our passwod we reive the below email. However, if the user is locked out or doesnt know their password then they cant log into their workstation to reset their password.
Your Okta account is configured to use the same password you currently use for logging in to your organization's Windows network. Use your Windows account password to sign in to Okta. Please use the password reset function in Windows to reset your password.
Lazaros, Okta can do SMS outside of the US. It is something you have to pay additional for (per use or buy in blocks). It is something we have been evaluating as we have a global workforce (~50% in the US with the other 50% scattered everywhere but Antartica)
I too got this email and went through through the scenarios. Unless there's some magic you do in the API ahead of time the user needs to login at least once and setup their secondary email/security qeustions/security image etc before this works the way we want. This meant I had to send my users a one time password, then set it to expire in AD. When the user registers at Okta for the first time, they are are prompted to fill out their security questions, etc. Subsequent password reset attempts will give them the link we'll all expecting. On password reset, they have to provide an answer to their security question(s). They may be able to bypass the questions if they registerd a secondary email or an SMS number - some sort of second factor, but I haven't had time to run through that scenario.
thanks Matt Dewall, that really helped point me in the right direction. I actually just pinpointed exactly what field is required to get the correct password reset email, and that is a secondary email address needs to be setup AND VERIFIED , other wise the password reset email will not be one that includes a link to reset it. Hopefully this helps someone.