Grant Okta Active Directory (AD) agent password management permissions

Early Access release

You need to grant password reset permissions to the Okta Active Directory (AD) agent service accounts for the organizational units (OUs) that contain privileged accounts.

Grant Okta AD agent permissions to reset passwords

To perform this setup, the account you use must have the necessary permissions to modify the Access Control Lists (ACLs) of the organizational units (OUs) containing the privileged accounts. For instance, the account should be a member of the Active Directory Domain Admins group.

  1. Launch the Active Directory Users & Computers MMC snap-in.

  2. Go to the OU that contains the privileged accounts that will be managed by Okta Privileged Access.

  3. Right-click on that OU, and the select ALL TASKS | DELEGATE CONTROL.

  4. Click NEXT, and then click ADD.

  5. Enter the Okta AD agent service account name, and then click OK.

  6. Ensure that the Okta AD agent service account name is listed in the box, and then click NEXT.

  7. Select the checkbox next to Reset user passwords and force password change at next logon, and then click NEXT.

  8. Click FINISH.

Grant Okta AD Agent permissions to reset passwords for protected accounts

If Okta Privileged Access manages the passwords for any accounts that are protected accounts or members of protected account groups such as Domain Admins, you must also perform other steps to ensure that Okta AD agent has password reset permissions for protected accounts.

ACLs for the protected accounts are updated every hour using the ACL values of the AdminSDHolder container as a template. The AdminSDHolder is a special object container in the Active Directory domain's system container.

To modify the ACL for this object run the following command while modifying it's values to match your domain and the name of your Okta AD agent service account.

You must execute these commands using an account that has permissions to modify the AdminSDHolder container, for example a member of the Domain Admins group. To do this, you could log into a system with a Domain Admin account and launch a command prompt (CMD) or use RunAs to start CMD with a Domain Admin user account.

Configure reset password permission

Execute the following command to give password reset permission to the Okta AD agent service account.

  • Command: dsacls "[AdminSDHolder]" /G "[account]:CA;Reset Password"

  • Example: dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=atko,DC=biz" /G "OktaService@corp.atko.biz:CA;Reset Password"

After running the command, you can confirm that the permissions have been applied by running the command without the additional switches and arguments.

Verify the reset password permission

If managing protected account passwords is a requirement for your Okta Privileged Access implementation, ensure that you complete all of these steps and verify that permissions have been correctly applied to protected accounts before proceeding.

  • Command: dsacls "[AdminSDHolder]"

  • Example: dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=atko,DC=biz"

  • Example output: Allow CORP\OktaService Reset Password

In the output, you should see that the Okta AD agent service account now has the reset password permission for the AdminSDHolder container. Once the AdminSDHolder object has been updated, these permissions will automatically apply to protected accounts within an hour or less due to Synchronized Properties (SDProp). To apply them immediately, see the Active Directory documentation for instructions on how to run SDProp manually.

Related topics

Set up Active Directory domains

Manage Active Directory accounts

Active Directory account rules

Active Directory accounts