WDaaM Provisioning AD accounts Skip to main content
https://support.okta.com/help/answers?id=906f0000000dflvia4&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Lawrence SmithLawrence Smith 

WDaaM Provisioning AD accounts

Hi,

We're working on a project at the moment, where we intend to switch over the master to Workday, currently its AD. 
When we cutover the expectation is that Okta will create and manage AD accounts that are mastered by WD. There are a few things I'm not clear on, firstly is it possible to specify the destination OU based on attributes without relying on Workday provisioning groups? secondly if a user is provisioned in an OU - lets say sales - then someone moves them to a different OU - we'll go with finance - will Okta then move them back from finance to sales? or is the OU a once off and not updated like attributes are? 

Thanks,
Lawrence

Best Answer chosen by Lawrence Smith
Cody SudersCody Suders (Okta, Inc.)
Yes it is possible to use Okta's dynamic groups to assign AD OUs instead of Workday provisoining groups.

And no, Okta does not have the ability to move accounts from one OU to another.  The OU assignment only applies to where newly provisioned users are created.  

All Answers

Cody SudersCody Suders (Okta, Inc.)
Yes it is possible to use Okta's dynamic groups to assign AD OUs instead of Workday provisoining groups.

And no, Okta does not have the ability to move accounts from one OU to another.  The OU assignment only applies to where newly provisioned users are created.  
This was selected as the best answer
Eric TiptonEric Tipton
@Lawrence - we are using a combination of Workday attributes (pushed from WD->Okta->AD) and a Powershell script to put new users in departmental OU's as well as to add them to AD Groups which in turn are used in Otka to assign applications. The sript triggers when a new account is created in AD by the Okta Service account. 

For users that change departments, etc. - that gets a bit trickier. We are doing that manually for now but I am looking into ways to automate it. I will likely start with a script that monitors for changes to attributes and sends an alert email. Moving them to the new departmental OU automaticall would be easy enough...but adding and particularly removing applications is messier due timing of the move, etc. 

Feel free to let me know if you have questions. 

--Eric
Lawrence SmithLawrence Smith
Thanks Eric - I had already considered that, though trying not to overload myself with a big list of scripts to create for the project. :)