Delegated Authentication users receive one of the following errors when attempting a self-service password reset:
- You do not have permission to perform the requested action.
- Reset password is not allowed at this time. Please contact support for assistance.
- Active Directory (AD) users
- Delegated authentication
- Self-service password reset (SSPR)
The Okta AD Agent service account does not have the required permissions to reset a user's password.
The Okta AD Agent service account requires three granular permissions to perform password resets on behalf of users or Okta Administrators:
- Write permission of the AD attribute "lockoutTime"
- Write permission of the AD attribute "pwdLastSet"
- Permission to "Reset Password"
For more details on the required permissions for the AD Agent service account, refer to the following documentation: About Okta service account permissions.
NOTE: If the Okta service account has the requisite permissions for password resets, but the action still fails, please verify that the affected user was never a member of Domain Admins, Account Operators, or any other privileged user group. As a security measure, both current and previous users of these groups have an AD attribute that prevents anyone but Domain Admins or Enterprise Admins from performing password resets.
