<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Active Directory Provisioning Fails With Error "A Device Attached to the System Is Not Functioning"
Mar 16, 2026
Lifecycle Management
Okta Integration Network
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Okta Active Directory (AD) provisioning fails when the sAMAccountName attribute exceeds 20 characters or contains unsupported special characters. Resolving this issue requires either unmapping the sAMAccountName attribute, applying an Okta Expression Language (OEL) expression to limit the attribute length, or removing the special characters from the value.

The following error appears when provisioning fails:

 

Automatic provisioning of {user} to app Active Directory failed: Error provisioning active_directory user: A device attached to the system is not functioning.

 

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Active Directory (AD)
  • Provisioning
  • Okta Expression Language (OEL)
Cause

AD provisioning fails due to one of the following sAMAccountName attribute issues:

  • AD limits the sAMAccountName attribute to 20 characters. If the value exceeds 20 characters, provisioning fails with this error.
  • The following special characters in a user's sAMAccountName value also produces this error: "/ \ [ ] : ; | = , + * ? < > $

For more details on sAMAccountName attribute restrictions, check the SAM-Account-Name attribute - Win32 apps documentation.

Solution

How is the Active Directory provisioning error resolved?

The sAMAccountName attribute is not required to provision a new account to AD. One resolution is to unmap the attribute. Before unmapping, confirm that sAMAccountName is not an application username format for any existing applications.

The following options address each cause of this error:

If the issue is related to attribute length:

  • To keep the sAMAccountName mapping and limit the value to 20 characters, apply the following OEL expression in the Profile Editor: 
    String.substring((substringBefore(user.login, "@")), 0, 20)
 

If the issue is related to special characters:

  • Remove all unsupported special characters from the sAMAccountName value to successfully provision the user to AD.

NOTE: If an Okta Group that contains the same set of special characters is assigned as a Push Group to AD, Okta strips the special characters from the group's sAMAccountName.

Related References

Recommended content

Still looking for help?
Loading
Okta Active Directory Provisioning Fails With Error "A Device Attached to the System Is Not Functioning"