If an Okta Admin is unable to reset a Delegated Authentication (DelAuth) user password for an Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) Okta user, it may be because the Okta AD Agent service account or Okta LDAP Agent service account does not have the required permissions.

• Delegated Authentication
• Password Reset
• Okta AD Agent
• Okta LDAP Agent

An Okta Admin is often required to reset user passwords. This ability is inherent in users with Okta-sourced passwords. However, if an Okta user uses Delegated Authentication to sign on, the user password is not stored in Okta but in the AD/LDAP directory server.

In these instances, the service account directly communicating with an AD domain controller or LDAP directory server must have permission to perform these actions on behalf of the Okta Administrator.

To allow Okta Admins to reset DelAuth user passwords, the Okta AD Agent service account or Okta LDAP Agent service account must have permission to do so.

Active Directory

The permission to reset user passwords is inherently granted when the account is a member of the Domain Admins group.

The permission can also be granularly provided using the dsacls command in CMD from a Domain Controller. Use the following steps as an example to create a batch file that can be run from a domain controller.

1. On a domain controller, create a new text file.
2. Use the following block as example text.

dsacls "OU=targetOU,DC=domain" /I:S /G "domain\agentserviceaccount:CA;Reset Password;user"
dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;pwdLastSet;user
dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;lockoutTime;user

• • If users exist in multiple target OUs, commands must be created for each additional target OU.
  • Replace OU=targetOU,DC=domain with the proper distinguished name of the highest level target OU that can propagate permissions where users reside.
  • Replace domain\agentserviceaccount with the proper domain and service account sAMAccountName in NETBIOS format.
  • NOTE: In the first line of example text, both the service account and the permission granted must be contained within in double quotes. This is because the permission Reset Password contains a space.

3. Save the file with the file extension .bat.
4. Run the batch file as an Administrator.

NOTE: If the target user is now or at any time once was a protected user or a member of a protected group in AD, the user must have its AD attribute adminCount value set to 0. If this is not possible, then the Okta AD Agent service account must be made a domain administrator to complete the password reset. If neither of these things are possible, then Okta will be unable to perform a password reset on the target user.

LDAP

Because LDAP permissions are not inherited, the permission to reset user passwords is not inherently granted by any LDAP group by default.

For the purposes of this article, the OpenLDAP password attribute "userPassword" will be used. Depending on the LDAP directory flavor, the password attribute may be different or even custom-created.

In OpenLDAP, for example, the service account must be granted permission to modify the attribute, either with a ldapmodify command or by modifying the LDIF file that describes ACLs.

Using ldapmodify

ldapmodify command
changetype add
dn="cn=oktaservice,ou=users,dc=example,dc=com" write

Updating slapd.conf

access to attrs=userpassword
by self write
by anonymous auth
by group.exact="cn=itadmins,ou=groups,dc=example,dc=com" write
by dn.one="cn=oktaservice,ou=users,dc=example,dc=com" write
by * none

Related References

• Okta service account permissions
• Appendix C: Protected Accounts and Groups in Active Directory
• Admin-Count attribute
• LDAP integration features
• LDAP integration known limitations