When an administrator or a user triggers an account unlock within Okta, the corresponding Active Directory (AD) account may remain locked, preventing successful sign-in. This occurs when the Active Directory password policy in Okta is not configured to propagate the unlock command to the domain controller. Enabling the Unlock users in Okta and Active Directory option ensures that a single unlock action in Okta restores access across both platforms.

NOTE: Unlocking a user account directly in Active Directory does not synchronize the status to Okta. The user account must be unlocked in Okta to clear the lockout state in the Okta Admin Console.

• Okta Classic Engine
• Okta Identity Engine (OIE)
• Active Directory (AD)
• Delegated Authentication
• Self-Service Account Unlock

The Active Directory password policy within Okta is configured to unlock the user in Okta only. This occurs if the Unlock users in Okta and Active Directory checkbox is cleared in the policy settings. This issue may also occur if the Okta Service Account in AD lacks the required permissions, causing the unlock attempt to fail even when the policy is correctly configured.

How is Okta configured to unlock Active Directory accounts?

The following steps describe how to update the password policy to ensure that Okta unlock actions are pushed to Active Directory.

1. In the Okta Admin Console, navigate to Security > Authenticators (or Security > Authentication in Okta Classic Engine).
2. Find Password in the list of authenticators and select Actions > Edit.
3. Select the Active Directory policy from the list of password policies.
4. Select Edit for the policy.
5. Navigate to the Password Settings section.
6. Under the Unlock options, select the checkbox for Unlock users in Okta and Active Directory.
7. Select Save.

NOTE: Ensure the Okta AD Agent service account has sufficient permissions in AD to unlock user accounts.

Related References

• Unlocking Active Directory User Accounts Does Not Unlock Okta Accounts