About Okta service account permissions

Before adjusting the permissions on your directory, make sure you understand how Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. permissions are set and plan how to manage permissions within your environment.

By default, the Okta AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. installer creates a new Okta service account if you do not choose an existing account. The newly created OktaService account inherits the permissions of the DomainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). Users group. OktaService is also considered to be a member of the Authenticated Users and Everyone special identity groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. when the agent is running.

The Okta AD agent Management Utility also includes the option of adding the OktaService account to the Domain Admins group. If you require functionality listed below but don't want to make your service account a full adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page., make sure the following permissions are set.

Provision user

Update user attributes

  • Requires write property permissions on user objects within your target OU for the following attributes:
    • mail
    • userPrincipalName
    • SAMaccountName
    • givenName
    • sn
    • userAccountControl
    • pwdLastSet
    • lockoutTime
    • cn
    • name
  • Requires write property permission on user objects within your target OU for all other attributes mapped on the AD user profile within Okta https://<org>/admin/universaldirectory

Group push

  • Requires create child permissions for group objects on the target OU.
  • Requires delete child permissions for group objects on the target OU.
  • Requires write property permissions on group objects within your target OU for the following attributes:
    • sAMAccountName
    • description
    • groupType
    • member
    • cn
    • name

Reset password, forgot password , and sync password

  • Requires write property permissions on user objects within your target OU for the following attributes:
    • lockoutTime
    • pwdLastSet
  • Requires Reset Password Control Access Right permission for user objects within your target OU.

Activate and deactivate user

  • Requires write property permissions on user objects within your target OU for the following attributes:
    • userAccountControl

Use reference commands to add permissions

You can add the permissions listed here using the commands below. Save them to a batch file and change the target OU and service account info to be correct for your environment. Remember to remove permissions you do not need and add any attributes you have mapped for provisioning within Okta. You can get the complete list of user attributes from your Directory user profile on https://<org>/admin/universaldirectory.

# Create User

dsacls "OU=targetOU,DC=domain" /G domain\agentserviceaccount:CC;user

# Create or Update user

# include additional attributes that are mapped in your org within Okta

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;mail;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;userPrincipalName;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;sAMAccountName;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;givenName;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;sn;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;userAccountControl;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;pwdLastSet;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;lockoutTime;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;cn;user

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;name;user

# Create user/Password Reset

dsacls "OU=targetOU,DC=domain" /I:S /G "domain\agentserviceaccount:CA;Reset Password;user"

#Group Push

dsacls "OU=targetOU,DC=domain" /G domain\agentserviceaccount:CCDC;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;sAMAccountName;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;description;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;groupType;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;member;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;cn;group

dsacls "OU=targetOU,DC=domain" /I:S /G domain\agentserviceaccount:WP;name;group

Top