<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Required Accounts for Okta Active Directory Agent Installation and Operation
Mar 17, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Administrators require three specific accounts for the installation and operation of the Okta Active Directory (AD) Agent. Identifying and configuring these accounts ensures a successful agent deployment and prevents directory integration failures.

Applies To
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
  • Directories
  • Okta Active Directory (AD) Agent
Solution

What accounts are required for the Okta Active Directory Agent?

The Okta AD Agent installation and configuration requires the following three accounts:

  1. An Okta account with the required permissions to install and register the AD agent. The following permissions and requirements apply to this account:

    • The account requires permission to manage directories and manage and register agents. See Agent permissions for details.
    • Directory permissions are required when creating an app instance with the AD agent. See Role permissions.
    • This account must be Okta-sourced, not AD-sourced.

NOTE: An account assigned the Super Administrator role automatically possesses the required permissions to perform all administrative tasks.

  1. The AD Okta AD Agent Service Account. Review the following considerations for the service account:

    • During installation, administrators can select an existing account or direct the installer to create an account named OktaService. The Okta AD Agent service account requires the necessary permissions.
    • Okta recommends using the same AD service account on all Okta AD agents in the environment.

  2. An AD Domain Admin account to perform the AD agent installation.

What common issues may occur with these accounts?

  • The Okta account used to register the agent (Account 1 above) becomes disabled or deactivated.
    • Starting with version 3.18.0, the AD Agent operates independently of any Okta account. This ensures that the Okta AD integration continues to work as expected, regardless of the account status used to register the agent.
    • For version 3.17.0 and earlier of the AD agent, disabling or removing admin roles from the account used to register the agent will cause agent operations to fail. Reactivate the account or reinstall the AD agent, using a new account during registration.
  • The Okta AD Agent service account (Account 2 above) password changes or the account is deactivated.
    • If the password is updated, follow the instructions in How to Update the Password for the Okta AD Agent Service.
    • If the account is deactivated, the service will not run successfully. Reactivate the account or reinstall the AD agent, specifying a new service account during installation.
  • The AD account of the Domain Admin who installed the agent (Account 3 above) is disabled.
    • This can cause service interruptions if the agent files are owned only by this account and rely on encryption that uses that account. Reinstall the AD agent to restore operation.

Related References

Recommended content

Still looking for help?
Loading
Required Accounts for Okta Active Directory Agent Installation and Operation