When installing the Okta Active Directory (AD) Agent on an Amazon Web Services (AWS) server that was created for AWS Managed AD, the installation may fail with the following message:
Error creating service account: Access is Denied.
- AWS Managed AD
- Directories
- Okta AD Agent
- Active Directory (AD)
- Amazon Web Services (AWS)
Using the default configuration, the Okta AD Agent installation will attempt to create the OktaService account in the Users Organizational Unit (OU) of Active Directory.
However, AWS Managed AD does not allow service account creation because the permissions in the Users OU are tightly restricted.
To resolve this, a service account must be created manually prior to AD Agent installation and specified during installation:
- In AWS Managed AD, create a service account in the Users OU that will be used by the AD Agent.
- Begin the installation of the Okta AD Agent using the steps laid out in the Install the Okta Active Directory agent documentation.
- During Step 3 of the previously mentioned Install the Okta Active Directory agent documentation, select Use an alternate account that I specify.
- Enter the details of the account created in Step 1, then finish the installation.
NOTE: The Okta AD Agent service account must have the required permissions assigned before AD Agent installation. These permissions are detailed in the Okta service account permissions documentation.
