Exclude certain OUs Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Joel YalungJoel Yalung 

Exclude certain OUs

Has anyone excluded OUs using the 'User Filter' field under 'Import and Provisioning'? I have a few Sub-OUs that I don't want to be imported to Okta and want to filter them out using the 'User FIlter' field but could not seem to figure out the correct parameters.

OU Syncs to Okta: OU=Users,DC=Domain,DC=com
Want to exclude: OU=Test,OU=Users,DC=Domain,DC=com
Jim MolléJim Mollé (Okta, Inc.)
Hi Joel... to my knowledge, the filter only works to filter users (not OUs) by SAM account name. If you want to exclude OUs from import, you should be able to deselect any sub-OUs you do not want to import using the tree structure option just above the filter you are referring to.
Dylann FezeuDylann Fezeu (Customer First Programs)

Thanks for posting your inquiry in Okta Community Portal.

If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

Thank you,

Dylann Fezeu
Okta Help Center Team
Joel YalungJoel Yalung
Hi Jim,
   Here's a sample of our OU structure. All our users are in the Users OU and I don't want to sync the sub-ou of Test, Training, Admins as they don't need to login to Okta. I could not unselect the Sub-OUs unless I unselect the Users OU.


Jim MolléJim Mollé (Okta, Inc.)
Hi again Joel,
My apologies... you are absolutely correct in that you cannot deselect the child OU. With that said, can you leverage the SAM Account type filter instead? 
Joel YalungJoel Yalung
Hi Jim,
  SAMAccountType filter would work if there's a naming standard or less account to exclude but not if we're talking about close to 100 accounts. Does Okta support filtering on extension attributes when doing import?