Unlocking Active Directory User Accounts Does Not Unlock Okta Accounts
Mar 17, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview
Unlocking a user account directly in Active Directory (AD) does not synchronize the status back to Okta. A user account stays locked in Okta even after the AD-sourced account is unlocked in the local directory. The Okta account remains locked until the lockout duration expires or an administrator manually unlocks the account in the Okta Admin Console.
Applies To
- Okta Classic Engine
- Okta Identity Engine (OIE)
- Active Directory (AD)
- Account Unlock
- Delegated Authentication
Cause
Unlocking an AD account from within AD does not unlock the account in Okta. Okta does not receive or process the unlock event from AD. This is expected behavior.
Solution
How is a user account unlocked in Okta after an Active Directory unlock?
The following steps describe how to resolve the account lock state in Okta.
- An administrator can manually unlock the account by navigating to the user profile in the Okta Admin Console and selecting the unlock option.
- The user can follow the Self-Service Unlock process if configured in the applicable password policy.
- The account will automatically unlock in Okta after the duration specified in the Okta policy expires.
NOTE: The Okta AD Agent service account needs sufficient permissions for end users to use self-service unlock.
