During a self-service password reset (SSPR), the Okta Active Directory (AD) Agent may unexpectedly create a local user profile folder on the host server for each user performing a password reset. This occurs because the Okta AD Agent performs the action via impersonation, and the server policy allows local login. To resolve this issue, configure the Group Policy or Local Server Policy to restrict local login access.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Okta Active Directory (AD) Agent
• Self-Service Password Reset (SSPR)
• Delegated Authentication

When a user performs an SSPR for an AD password through Okta, the Okta AD Agent performs the action on behalf of the user via impersonation. If the agent server policy does not prevent the user from logging in locally, or if the user is a domain administrator, the Windows operating system creates a profile folder for the user during this process.

How is the creation of user profile folders prevented during SSPR?

To prevent the creation of user profile folders on the agent server, use either Group Policy or Local Server Policy to allow only select users or user groups to log on locally. Follow these steps to configure the policy:

1. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
2. Open the Allow log on locally policy.
3. Set the groups of users allowed or denied to log on locally to the server.