Self Service Password Reset

A quick reference to document the permissions required to enable SSPR in Okta, when using AD delegated authentication. I do this in PowerShell:

$ou = “ou=usersou,dc=domain,dc=com”

dsacls $ou /i:s /g “<domain>\ad_reset_account:CA;Reset Password;user”
dsacls $ou /i:s /g “<domain>\ad_reset_account:WP;lockoutTime;user”
dsacls $ou /i:s /g “<domain>\ad_reset_account:WP;pwdLastSet;user”

Reference

/i:s — inheritance flags: sub-objects only

/g — groups/user