p0ur0 (p0ur0) asked a question.
Unlock locked AD accounts
Is there a way to allow users to unlock thier own Active Directory accounts via okta?Assuming AD integration is in place.
- Parth Swadas (Customer)Hi Alex, Yes this is possible via OKTA. You can setup SMS password reset/unlock AD account via OKTA. You can set this features from ADMIN console -> Security > Authentication > Active Directory-> Users can change their Active Directory passwords in Okta -> Users can reset forgotten AD passwords in Okta Also you can use Active Directory Self Service Unlock -> Users can unlock their Active Directory accounts in Okta Ensure you've SMS pack to use this feature. /ParthExpand Post
- Parth Swadas (Customer)Hi Alex, Yes this is possible via OKTA. You can setup SMS password reset/unlock AD account via OKTA. You can set this features from ADMIN console -> Security > Authentication > Active Directory-> Users can change their Active Directory passwords in Okta -> Users can reset forgotten AD passwords in Okta Also you can use Active Directory Self Service Unlock -> Users can unlock their Active Directory accounts in Okta Ensure you've SMS pack to use this feature. /ParthExpand Post
- Jim Knutson - Okta (Okta, Inc.)Alex,We have released a softlock feature. For AD-mastered users, Okta provides a Softlock feature, used in conjunction with AD to prevent end-user lockouts. Previously, repeatedly entering an invalid password during Okta login could lock an end-user out of their Windows account and hardware device. This option also prevents a malicious third party from using Okta to lock up an end user via the web. More information is here: https://support.okta.com/help/articles/Knowledge_Article/Configuring-Group-Password-Policies Happy Connecting!Expand Post
- y8cse (y8cse)My understanding is that the AD account unlock functionality is only available if you have enabled AD Delegated Authentication.
- d8skj (d8skj)I hacve noticed the same thing, I have all the referenced features turned on in the Admin Console, but account unlocks via SMS/Email are still not working for my organization. Do any changes need to be made in AD to delegate this permission out?
- yhjtz (yhjtz)I am having the same issue. We have already enabled "Users can change their Active Directory passwords in Okta" and "Users can unlock their Active Directory accounts in Okta" but still users are not able to unlock AD accounts in Okta.
- ScottG.54658 (Jeppesen)Wouldn't the Okta service account need to have elevated permissions for the passowrd unlock feature to work?
- hsodu (hsodu)I have found that the Okta account must be locked as well for the self service to unlock the users AD account.
- 5szmg (5szmg)If this feature is not working for you, please check the permissions of the Okta service account in AD. It needs to have "domain admin" in order for end user to self unlock and change the password using Forgot password link.
- Josh Spitaleri (Customer)Does this not work if the user only has okta verify setup as their two-factor? The answer above states that this works with sms but it would seem logical if it worked with okta verify as well. Can someone confirm?
- pkuhy (pkuhy)We would also like to implement self service unlock however we are not prepared to provide a service account Domain Administrator access. Does anyone have the specific account permissions required, for the Okta service account to unlock accounts, so that this can be replicated .?
This question is closed.
