User cannot log in if their user account in Active Directory changes OU Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmcmqaa&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Anthony GreenAnthony Green 

User cannot log in if their user account in Active Directory changes OU

We have restructured our Active Directory, and now any user that have changed OU in Active Directory can no longer sign in to Okta or any linked SSO sites.
I cannot seem to find anywhere to update the user details.
If I try to reimport, it says the user already exists.
Parth SwadasParth Swadas
I think new OU(to which new users have been migrated) wasn't in OKTA's AD import lists so all the users should have been deactivated and when you try to reimport it might generate error based on "Import Matching rules" (2 same users with same details will cause conflict)

You should now manually activate users in OKTA and resolve the matching rules conflict.
Anthony GreenAnthony Green
I'm not sure what I need to do.
There does not seem to be any way to manually activate a user.
The users are also already marked as Active in the Directory, so I don't think they can be activated twice.

If I open their Person Account in the Directory, an error appears:
An error occurred while provisioning rcpaqap.local
Automatic provisioning of user <Username> to app Active Directory failed: Matching user not found Please fix this on the Tasks Page

I follow the link to the Tasks page, where there is one entry:
Application assignments encountered errors
Review and correct these errors to complete these app assignments.

I click the link to review and correct, and on the next screen, I select my Active Directory listing, and choose the "Retry Selected" button. It appears to work, and I then get a message:
No assignments encountering errors were found for your query

If I click the Refresh button, the message comes back saying :
4 app assignments have errors
And wants me to Select and Retry the AD sync again.

Any ideas what I can do to fix this?

All I can think of is editing each user in the Directory, turning them into dummy users, then trying to import again.
Not really what I want to do, as it leaves these extra user accounts floating about.
Anthony GreenAnthony Green
Further to this, there was nothign else I could do, so I went through and deleted all of the OKTA users that were causing problems.
Now, I am still unable to sync.
For some reason OKTA still finds the users in their database and will not let me Import the users again.

On the Import Users screen, the users now appear multiple times, and the OKTA side gives an error: "This choice creates a conflict"
Here's an image which shows the problem:
User-added image