Evans Chang 

AD OU Changes


We currently have OKTA integrated with 2 AD domains.  Our users have accounts in both domains.  When we import users into OKTA, we merge them using their email addresses.

Now, we need to change change the OU structure in our main AD Domain, meaning that the user OUs and the Group OU's will be moved to a different location the Org tree.  

Will OKTA pick this change up automatically and start importing from the new OU structure?  Will the users get disabled an re-enabled again?  Anything gotcha's we need to be aware of?

Kevin Turner (Okta, Inc.)
Providing you select the new OU structure selection as part of the AD agent "Settings" OU selection criteria, then Okta will automatically pick up the moved user from the new OU.

You must make sure the New OU setting is selected otherwise it would see that the user had moved from the initial OU and would deactivate the Okta user profile. If all in place your method will work.
Evans Chang
Kevin - thank you.  2 more questions:

1) the way that we're moving these OU's is to essentially remove the old OU and create the new OU.  How will OKTA be able to pick up the new OU structure?  do we need to do an import first to just pick up the new OU structure in order to select the new OU's?

​2) What about groups?  We are moving the group OU as well.  We'll obviously make sure that the new group OU is selected, but will the group membership relation for users be maintained?

Kevin Turner (Okta, Inc.)
You would need to do this in a couple of steps.

Firstly add the two new OU's and perform an import to get the added OUs showing up in Okta. Make sure you can see these new OU's before you perform any moves of users or groups.

Once you can see the new OUs make sure to add them as part of the settings. I've not tested moving groups and users as a single change, I've tended to move one and then the other. After say moving the users then I've done a manual import, then move the groups and do another manual import to reflect changes.

One thing to note that when you move the groups from one OU to another and then perform an import, you will see a warning to say "x" users that were in groups have been updated and that "y" groups have been updated. You will also see a lot of "Push users profile to external application", or "Updated user application property" type syslog messages.

I would suggest just to stage a few test runs with a sample set of users, and a sample set of groups rather than doing wholesale batch process, and once tested successfully then alter.

Just before you do this (as I've not done this on a huge number of users and groups), what's the user popuation here? Maybe a call with support or professional services would be wise?