<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Provisioning to Active Directory Failed with "Target OU is not an import OU"
Oct 28, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

The following error displays next to the user under the Directory Assignment list or under Dashboard > Tasks:

Automatic provisioning of user "username " to app Active Directory failed: Error provisioning AD user: Target OU is not an import OU

 Admin Dashboard Tasks - Active Directory Assignment Error - target OU is not an import OU  

Applies To
  • Directories
  • Active Directory (AD)
  • Provisioning
Cause

There are two possible causes for this error:

  • The group that provisions users to Active Directory is configured to create users in an OU that is not selected in the directory integration in Okta.
  • The distingishedName attribute has been mapped in the Directory provisioning settings.
Solution

To confirm the correct OU configuration, please follow the below video or steps:


 

  1. First, review the OU selection for the directory integration in Okta.

    1. Select the appropriate directory integration under Directory > Directory Integrations and then select Provisioning > Integration.

    2. Review the selected OUs next to User OUs connected to Okta.

User OUs connected to Okta

  1. Next, check the OUs selected in the group that provisions to Active Directory.

    1. Open the appropriate group under Directory > Groups and select the Directories tab.

    2. Click the pencil icon next to the directory and expand the Organizational Units under Default Attributes.

Directories

The OU selected in the provisioning group must be selected in the directory integration. To ensure that the OU selected in the provisioning group matches the directory integration, either change the OU in the provisioning group to match the integration selection or add the selected OU in the provisioning group to the directory integration.

 

To confirm the distinguishedName configuration, please check the following:

  • Check whether the distinguishedName attribute is configured in the directory attribute mappings (Directory > Directory Integrations > [AD Instance] > Provisioning > To App). The distinguishedName is a calculated field that combines the CN and the user’s OU. AD will determine and write this value, so it should not be configured in the directory mappings. 
  • If this attribute is mapped, then remove the mapping, save the configuration, and retry provisioning.

AD Provisioning To App - Attribute Mappings - distinguishedName not mapped

Recommended content

Still looking for help?
Loading
Provisioning to Active Directory Failed with "Target OU is not an import OU"