Self Service Password Reset
Mar 9, 2021
A quick reference to document the permissions required to enable SSPR in Okta, when using AD delegated authentication. I do this in PowerShell:
$ou = “ou=usersou,dc=domain,dc=com”
dsacls $ou /i:s /g “<domain>\ad_reset_account:CA;Reset Password;user”
dsacls $ou /i:s /g “<domain>\ad_reset_account:WP;lockoutTime;user”
dsacls $ou /i:s /g “<domain>\ad_reset_account:WP;pwdLastSet;user”
Reference
/i:s — inheritance flags: sub-objects only
/g — groups/user