<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Active Directory System-Only Attributes Cannot be Modified by Okta
Oct 28, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

This article explains why Okta cannot modify certain Active Directory (AD) attributes with the setting: systemOnly=TRUE.

Applies To
  • Directories
  • Active Directory (AD)
  • Provisioning
Solution

Active Directory attributes with systemOnly=TRUE are only modifiable by the Active Directory system. This means that Okta is not able to update this attribute. A list of all attributes with this value set to TRUE can be found using the following PowerShell command:
 

Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter "(&(objectClass=attributeSchema)(systemOnly=TRUE))" -Properties isCriticalSystemObject | Select-Object Name


A few common examples of attributes with this value set to TRUE are listed below:

  • Object-Classes
  • Object-Guid
  • Object-Sid
  • Reports

Related References

Recommended content

Still looking for help?
Loading
Active Directory System-Only Attributes Cannot be Modified by Okta