Unlock locked AD accounts Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0nbiak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Alex ShchukinAlex Shchukin 

Unlock locked AD accounts

Is there a way to allow users to unlock thier own Active Directory accounts via okta?
Assuming AD integration is in place.
Best Answer chosen by Niki (Okta, Inc.) 
Parth SwadasParth Swadas
Hi Alex,

Yes this is possible via OKTA. You can setup SMS password reset/unlock AD account via OKTA. 

You can set this features from ADMIN console -> Security > Authentication > Active Directory-> Users can change their Active Directory passwords in Okta -> Users can reset forgotten AD passwords in Okta

Also you can use Active Directory Self Service Unlock -> Users can unlock their Active Directory accounts in Okta

Ensure you've SMS pack to use this feature. 

/Parth

All Answers

Parth SwadasParth Swadas
Hi Alex,

Yes this is possible via OKTA. You can setup SMS password reset/unlock AD account via OKTA. 

You can set this features from ADMIN console -> Security > Authentication > Active Directory-> Users can change their Active Directory passwords in Okta -> Users can reset forgotten AD passwords in Okta

Also you can use Active Directory Self Service Unlock -> Users can unlock their Active Directory accounts in Okta

Ensure you've SMS pack to use this feature. 

/Parth
This was selected as the best answer
Jim KnutsonJim Knutson (Okta, Inc.)
Alex,
We have released a softlock feature. For AD-mastered users, Okta provides a Softlock feature, used in conjunction with AD to prevent end-user lockouts. Previously, repeatedly entering an invalid password during Okta login could lock an end-user out of their Windows account and hardware device. This option also prevents a malicious third party from using Okta to lock up an end user via the web. More information is here:

https://support.okta.com/help/articles/Knowledge_Article/Configuring-Group-Password-Policies

Happy Connecting!
Mark ChesterfieldMark Chesterfield
My understanding is that the AD account unlock functionality is only available if you have enabled AD Delegated Authentication.
Patrick SiqueirosPatrick Siqueiros
I hacve noticed the same thing, I have all the referenced features turned on in the Admin Console, but account unlocks via SMS/Email are still not working for my organization. Do any changes need to be made in AD to delegate this permission out?
Sharath Chandra EdupugantiSharath Chandra Edupuganti
I am having the same issue. We have already enabled "Users can change their Active Directory passwords in Okta" and "Users can unlock their Active Directory accounts in Okta" but still users are not able to unlock AD accounts in Okta.
Scott GordonScott Gordon
Wouldn't the Okta service account need to have elevated permissions for the passowrd unlock feature to work?
Joseph BrinleyJoseph Brinley
I have found that the Okta account must be locked as well for the self service to unlock the users AD account. 
Derek TranDerek Tran
If this feature is not working for you, please check the permissions of the Okta service account in AD.  It needs to have "domain admin" in order for end user to self unlock and change the password using Forgot password link.
Josh SpitaleriJosh Spitaleri
Does this not work if the user only has okta verify setup as their two-factor? The answer above states that this works with sms but it would seem logical if it worked with okta verify as well. Can someone confirm?
Adam AdminAdam Admin
We would also like to implement self service unlock however we are not prepared to provide a service account Domain Administrator access. Does anyone have the specific account permissions required, for the Okta service account to unlock accounts,  so that this can be replicated .?