<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
User Unable to Reset Active Directory Password through Okta
Dec 2, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

When an Okta user assigned to an Active Directory (AD) instance that uses Delegated Authentication resets their password through Okta, the password reset attempt is sent to a Domain Controller via the Okta AD Agent. This article provides troubleshooting steps to use if the reset attempts do not succeed. For more information on Delegated Authentication, please see the Active Directory Password Sync and Delegated Authentication documentation. 

Applies To
  • Directories
  • Active Directory (AD)
  • Self-Service Password Reset
  • Delegated Authentication
Solution

Follow the video or steps below:

 

Ensure the Active Directory Password Policy is configured correctly.

  1. Access the Okta Admin Console.

  2. Navigate to Security > Authentication in Okta Classic. If using Okta Identity Engine (OIE), select Security > Authenticators, then Actions > Edit next to the Password authenticator.

 Actions button 

  1. In the left pane, select Active Directory Policy.

 Active Directory Policy option  

  1. Ensure the Minimum Length and Complexity Requirements match the password settings configured in Active Directory.

    1. The AD Domain Controller performs all password resets and enforces these settings within Active Directory, but the settings must match within Okta so the user sees the correct requirements, and so Okta can successfully send the password reset attempt to Active Directory.

    2. To view the Active Directory password policy, run the following command as an administrator and search the output for Account Policies/Password Policy.

      gpresult /h C:\gpresultOkta.html

       

  2. Verify the Password Policy rule at the bottom of this page allows for password changes:

    1. Scroll down to the Rules section.

    2. Click the pencil icon next to the existing rule, or click Add Rule if only the default rule exists.

    3. In Classic, select Then User can > change password and perform self-service password reset. In OIE, select Then Users can perform self-service > Password change and Password reset.

Edit Rule

  1. Also, ensure that the Recovery authenticator is valid and that the rule's status is Active.

  2. Ensure the Okta Service Account has sufficient permissions to change passwords in Active Directory. After making permission changes to the service account, restart the Okta AD Agent service on all AD agents. For more information, please review About Okta service account permissions or consult with Microsoft Support.

  3. If the error Password requirements were not met displays despite a seemingly good password being entered, pay special attention to the following settings in Active Directory:

    • Minimum Password Age. By default, this is set to 1, preventing users from resetting their password more than once per day.

    • Enforce password history. By default, this is set to 24 in Active Directory.

Please review Active Directory Password Change by User Fails with Error "Password requirements were not met" for more information on this error.

  1. If the Okta AD Agent is timing out before the password change completes, please see Active Directory Password Reset Failed Due to Agent Timeout for more information.

Recommended content

Still looking for help?
Loading
User Unable to Reset Active Directory Password through Okta