Reset a user password
AD-sourced users in a Delegated Authentication environment
When a password is reset, the original password doesn't expire in AD. If the user remembers their original AD password, they can use it to sign in despite the password reset.
If you use the Temporary Password option for an account along with the Password never expires option enabled, the user isn't prompted to change their password after entering the temporary password.
LDAP-sourced users in a Delegated Authentication environment
If an admin creates a temporary password for LDAP-sourced users, users must change their password the next time they sign in if the LDAP server password policy requires or allows it. To create password policies that support temporary passwords, consult the LDAP server manual provided by the vendor.
To deactivate user accounts temporarily, use the Suspend procedure. See Suspend and unsuspend users. If you set an AD-managed account into Password Reset status, the user can still access Okta Mobile by using PIN or FaceID authentication.
- In the Admin Console, go to .
- Click Reset Passwords.
- Optional. Filter the list by selecting Locked out, Expired token, or All.
- Select a user and click Reset Password.
- In the Reset Password dialog, select one of the following options:
- Send a reset password email: The password reset email is sent to the user’s primary and secondary (if available) email addresses.
- Create a temporary password: You create a temporary password, which you can see. The account is marked as expired. The user is required to change their password the next time they sign in.
- Remove password: The current password is removed but the account remains active. The user is required to set their password the next time they sign in. This option is available if password is configured as an optional authenticator.
- Select Sign out user if you want to revoke all sessions for the user. This signs the user out of all Okta sessions on all devices and browsers.
- Click Reset Password.