<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Active Directory Provisioning Fails with "Target OU Is Not an Import OU" Error
May 1, 2026
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Okta generates a provisioning error when the target Organizational Unit (OU) is not also selected as an import OU in the directory integration settings or when the distinguishedName attribute maps incorrectly. Resolve this issue by aligning the OU selected in the provisioning group with the directory integration settings or by removing the distinguishedName attribute mapping. The following error displays next to the user under the Directory Assignment list or under Dashboard > Tasks:

 

Automatic provisioning of user "username " to app Active Directory failed: Error provisioning AD user: Target OU is not an import OU



 Admin Dashboard Tasks - Active Directory Assignment Error - target OU is not an import OU  

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Directories
  • Active Directory (AD)
  • Provisioning
Cause

Two possible causes trigger this error:

  • The group that provisions users to Active Directory (AD) creates users in an Organizational Unit (OU) that is not selected in the directory integration within Okta.
  • The Directory provisioning settings map the distinguishedName attribute.
Solution

What steps resolve the error "Target OU is not an Import OU" during Active Directory provisioning?

Correct the AD OU configuration or distinguishedName attribute mapping to resolve this error.

How to confirm the Organizational Unit configuration?

Review the Organizational Unit selection for the directory integration in Okta and verify the OUs selected in the group that provisions to Active Directory.

  1. Navigate to Directory > Directory Integrations and select the appropriate directory integration.
  2. Select Provisioning > Integration.
  3. Review the selected OUs next to User OUs connected to Okta.

User OUs connected to Okta

  1. Navigate to Directory > Groups and open the provisioning group.
  2. Select the Directories tab.
  3. Select the pencil icon next to the directory and expand the Organizational Units under Default Attributes.

Directories

The OU selected in the provisioning group must also be selected in the directory integration User OUs. Change the OU in the provisioning group to match the integration selection, or add the OU selected in the provisioning group to the directory integration.

How to confirm the distinguishedName configuration?

Check the directory attribute mappings to ensure the distinguishedName attribute is not configured, and remove the mapping if it exists.

  1. Navigate to Directory > Directory Integrations > [AD Instance] > Provisioning > To App.
  2. Verify whether the distinguishedName attribute is configured in the directory attribute mappings.
  3. Remove the mapping if the attribute maps to a value.
  4. Save the configuration and retry provisioning.
NOTE: The distinguishedName is a calculated field that combines the user's CN and OU. AD will determine and maintain this value, so it should not be mapped from Okta.

AD Provisioning To App - Attribute Mappings - distinguishedName not mapped

 

Related References

Recommended content

Still looking for help?
Loading
Okta Active Directory Provisioning Fails with "Target OU Is Not an Import OU" Error