Active Directory - Changing User OU's connected to Okta
I inherited an environment where I have an AD OU that contains accounts (service, etc.) that I DO NOT want connected to Okta. I know that if I uncheck the box for this OU (under Directory, Directory Integrations, Active DIrectory, Settings, User OUs connected to Okta) that any accounts in that OU will be disabled in AD.
Is there an easy way to prevent this from happening? I know that pulling up each and every account that is in this OU and clicking "Disconnect from Active Directory" will work but that is a bit of a tedious process given the number of accounts. Any other suggestions?
I don't see an option do handle it in the Okta Powershell module. Is something like this possible through the API - using "demasteruser"?
Ok, so I heard from Support (and verified myself) that even disconnecing each account from AD individually will cause the accounts to be disabled. In a bit of a catch 22 here. Only thing I can think of is to disconnect the OU and let the accounts get disabled in AD but have a script ready to immediately re-enable them....or use AD permissions to block access to the OU so the Okta AD agent can't disable them. Going to do some testing but wanted to see if anyone had any other suggestions.