Okta Password Sync Fails to Push Password to Active Directory

When an administrator enables the Application Sync Password feature in an Active Directory (AD) integration, an Okta password fails to sync to AD because insufficient permissions are assigned to the AD Agent service account. Resolving this issue requires an administrator to confirm the permissions issue and grant the AD Agent service account the necessary permissions to update user passwords.

The problem occurs when an administrator or user resets a password in Okta, but the corresponding password for the AD object does not update. The Okta System Log displays a successful transfer of the password to the Okta AD AppUser profile:

Push user's Okta password to application SUCCESS

Following the success entry, the log shows a failure when Okta attempts to write the password to the AD object:

Perform directory invoke command by AD agent FAILURE

NOTE: To investigate the full transaction, perform the following System Log query:

If the log entries appear at the same timestamp or within a few seconds, the most likely root cause is insufficient permissions for the AD Agent service account.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Active Directory (AD) Integration
• Application Sync Password
• User Provisioning

Insufficient Active Directory permissions assigned to the AD Agent Service Account cause the password sync failure.

The System Log entry Push user's Okta password to application SUCCESS confirms that the AD Agent successfully receives the new Okta password, but the entry Perform directory invoke command by AD agent FAILURE indicates that the service account lacks the necessary permissions to execute the directory operation and write the new password to the target user object in Active Directory.

How is the permissions issue confirmed?

Confirm the issue is permissions-related by temporarily granting Domain Admin privileges to the AD Agent Service Account and verifying a successful password reset.

1. Temporarily grant Domain Admin privileges to the AD Agent Service Account by placing the account in the built-in Domain Admins Active Directory group.
2. Restart the AD Agent service on all servers where the agent is installed. This step is required for new permissions to be applied.
3. Perform another password reset for a user in Okta.
4. Verify the log entry is successful or the user successfully authenticates to the domain with the new password.

How are the permanent granular permissions implemented?

Assign the granular permissions required for password updates by removing the service account from the Domain Admins group, applying the correct permissions, and restarting the AD Agent service.

1. Remove the service account from the Domain Admins group immediately after confirming the issue.
2. Grant the service account the necessary granular permissions on the Active Directory domain or the specific Organizational Units (OUs) that contain the synchronized users, as detailed in the Okta service account permissions documentation.
3. Restart the AD Agent service to force the agent to use the granular, restricted permissions.
4. Perform a password reset for a user from Okta to verify that the password successfully syncs to Active Directory.