About Okta service account permissions

Before adjusting the permissions on your directory, make sure you understand how Active Directory permissions are set and plan how to manage permissions within your environment.

By default, the Okta AD agent installer creates a new Okta service account if you don't choose an existing account. The newly created OktaService account inherits the permissions of the Domain Users group. OktaService is also considered to be a member of the Authenticated Users and Everyone special identity groups when the agent is running.

The Okta AD agent Management Utility also includes the option of adding the OktaService account to the Domain Admins group. If you require functionality listed below but don't want to make your service account a full admin, make sure the following permissions are set.

Provision user

  • Requires create child permission for user objects on the target OU.
  • Requires Reset Password Control Access Right permission for user objects within your target OU.
  • Requires write property permissions on user objects within your target OU for the following attributes:
    • mail
    • userPrincipalName
    • SAMaccountName
    • givenName
    • sn
    • userAccountControl
    • pwdLastSet
    • lockoutTime
    • cn
    • name
  • Requires write property permission on user objects within your target OU for all other attributes mapped on the AD user profile within Okta https://<org>/admin/universaldirectory

Update user attributes

  • Requires write property permissions on user objects within your target OU for the following attributes:
    • mail
    • userPrincipalName
    • SAMaccountName
    • givenName
    • sn
    • userAccountControl
    • pwdLastSet
    • lockoutTime
    • cn
    • name
  • Requires write property permission on user objects within your target OU for all other attributes mapped on the AD user profile within Okta https://<org>/admin/universaldirectory

Group push

  • Requires create child permissions for group objects on the target OU.
  • Requires delete child permissions for group objects on the target OU.
  • Requires write property permissions on group objects within your target OU for the following attributes:
    • sAMAccountName
    • description
    • groupType
    • member
    • cn
    • name

Reset password, forgot password , and sync password

  • Requires write property permissions on user objects within your target OU for the following attributes:
    • lockoutTime
    • pwdLastSet
  • Requires Reset Password Control Access Right permission for user objects within your target OU.

Activate and deactivate user

  • Requires write property permissions on user objects within your target OU for the following attributes:
    • userAccountControl

Use reference commands to add permissions

You can add the permissions listed here using the commands below. Save them to a batch file and change the target OU and service account info to be correct for your environment. Remember to remove permissions you don't need and add any attributes you have mapped for provisioning within Okta. You can get the complete list of user attributes from your Directory user profile on https://<org>/admin/universaldirectory.

# Create User

dsacls "OU=targetOU,DC=domain" /G domain\agentserviceaccount:CC;user

# Create or Update user

# include additional attributes that are mapped in your org within Okta

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;mail;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;userPrincipalName;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;sAMAccountName;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;givenName;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;sn;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;userAccountControl;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;pwdLastSet;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;lockoutTime;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;cn;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;name;user

# Create user/Password Reset

dsacls "OU=targetOU,DC=domain" /I:S /G "domain\agentserviceaccount:CA;Reset Password;user"

#Group Push

dsacls "OU=targetOU,DC=domain" /G domain\agentserviceaccount:CCDC;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;sAMAccountName;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;description;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;groupType;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;member;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;cn;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;name;group