Topic Template Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Topic Template
Published: Apr 23, 2018   -   Updated: Jun 22, 2018




This is an Early Access feature. To enable it, please contact Okta Support.

Enable Okta-mastered user OU changes

This applies to Okta-mastered users in groups associated with Active Directory (AD) instances.

If you have existing Okta-mastered users who have changed groups, their OUs in AD have not been updated. Enabling this feature will change their OU in AD.

Note: Because the provisioning flow is from Okta to AD, if the OU is changed in AD, the change is not reflected in Okta. The next time Okta pushes updates to AD, the AD changes will be overwritten by the Okta-master information.

The Assignments tab in the AD instance displays all users and groups associated with that AD instance.

Key features
  • Applies only to Okta-mastered users
  • Applies only to Active Directory provisioned users or groups

To enable OU updates:

  1. Go to Directory > Directory instance > Settings

  2. Scroll to Update Users

  3. Select Enable OU to update an Okta-mastered user's OU when the group that provisions a user to AD changes.

Use cases

Move users from one group to another

At times, you might decide to move an Okta-mastered user from one group to another. For example, if a user is in a group for employees in one department or location and must be moved to a group associated with a different department or location. If these groups are associated with different OU groups, the OU associated with the user will be updated in Okta and that change will be pushed to AD.

Remove a group from AD provisioning

You may need to remove a group from AD provisioning, which is done in Groups>  Manage Directories, where you then remove that group from the provisioning flow. Okta then locates the next priority group which has AD assigned to it. If the group has a different OU assigned to it than the group just removed from AD provisioning, Okta updates the users to the new OU.