<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
AD LDAP Filter Does Deactivate Users Using MemberOf Filter
Mar 10, 2026
Directories
Overview

The "Active Directory (AD) LDAP Filter" is an Early Access (EA) feature that allows an Okta Admin to filter AD imports using an LDAP filter. When using memberOf in the user filter to de-provision users based on group membership removal or addition, scheduled incremental imports do not import or change the user status, but a manual "Full import" will.

Applies To
  • Directories
  • Active Directory
  • AD LDAP Filter
  • memberOf
Cause
AD Incremental imports use the attribute uSNChanged to determine if an object has been modified and needs to be updated. Updating group membership in Active Directory changes the uSNChanged value for the group, not the user. As the user's uSNChanged value has not changed, Okta will not scan the user object to find out if its group membership has changed, meaning the account will remain active in Okta.
Solution

Use a different attribute in the LDAP filter to control the de-provisioning of users or run a full import to sync the changes.
 

Related References

Recommended content

Still looking for help?
Loading
AD LDAP Filter Does Deactivate Users Using MemberOf Filter