When an Okta user assigned to an Active Directory (AD) instance that uses Delegated Authentication resets their password through Okta, the password reset attempt routes to a Domain Controller via the Okta AD Agent. Password resets fail when password policies do not match, permissions are insufficient, or the agent times out. Verify the AD Password Policy, ensure the Okta Service Account has sufficient permissions, and check for agent timeouts to resolve the issue. For more information on Delegated Authentication, review the Active Directory Password Sync and Delegated Authentication documentation.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Directories
• Active Directory (AD)
• Self-Service Password Reset
• Delegated Authentication

Active Directory password resets through Okta fail due to mismatched password policies between Okta and Active Directory, insufficient permissions for the Okta Service Account, or Okta AD Agent timeouts.

What steps resolve Active Directory password reset failures?

Verify the Active Directory Password Policy configuration, ensure the Okta Service Account has sufficient permissions, and check for agent timeouts by performing the following actions.

1. Ensure the Active Directory Password Policy is configured correctly in Okta.
   1. In the Okta Admin Console, access the Password authenticator.
      • If using the Okta Classic Engine, navigate to Security > Authentication.
      • If using Okta Identity Engine (OIE), select Security > Authenticators, and then select Actions > Edit next to the Password authenticator.
         
   2. In the left pane, select Active Directory Policy.
      
2. Ensure the Minimum Length and Complexity Requirements match the password settings configured in Active Directory.
   • The AD Domain Controller performs all password resets and enforces these settings within Active Directory, but the settings must match within Okta so the user sees the correct requirements, and Okta successfully sends the password reset attempt to Active Directory.
   • To view the Active Directory password policy, run the following command as an administrator and search the output for Account Policies/Password Policy.

     gpresult /h C:\gpresultOkta.html

4. Verify the Password Policy rule at the bottom of the page allows for password changes.
   1. Scroll down to the Rules section.
   2. Select the pencil icon next to the existing rule, or select Add Rule if only the default rule exists.
      • In Okta Classic Engine, select Then User can > change password and perform self-service password reset.
      • In OIE, select Then Users can perform self-service > Password change and Password reset.
        
5. Ensure that the Recovery authenticator is valid and that the rule status is Active.
6. Ensure the Okta Service Account has sufficient permissions to change passwords in Active Directory. After making permission changes to the service account, restart the Okta AD Agent service on all AD agents. For more information, review Okta service account permissions or consult with Microsoft Support.
7. If the error Password requirements were not met displays despite a seemingly good password being entered, pay special attention to the following settings in Active Directory:
   • Minimum Password Age: By default, this is set to 1, preventing users from resetting their password more than once per day.
   • Enforce password history: By default, this is set to 24 in Active Directory, preventing users from reusing their previous 24 passwords.
     Review Active Directory Password Change by User Fails with Error "Password requirements were not met" for more information on this error.
8. If the Okta AD Agent times out before the password change completes, review Active Directory Password Reset From Okta Fails Due to Agent Timeout for more information.