All scheduled Active Directory (AD) imports run as Incremental imports, which scan only user and group objects with a value for the attribute uSNChanged that has been updated since the last Incremental import. This article explains why some attributes do not update during an incremental import but will update after a full manual import.
- Directories
- Active Directory
- Incremental Imports
- uSNChanged
Certain AD attributes defined as Constructed attributes do not update an AD object's uSNChanged attribute when they are modified. As a result, the incremental import does not scan the object after a change to a constructed attribute. Constructed attributes are computed based on other attributes and objects.
To determine which attributes are Constructed in the AD Schema, run the following PowerShell command:
(Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter “(&(systemFlags:1.2.840.113556.1.4.803:=4)(ObjectClass=attributeSchema))” | Select-Object Name,DistinguishedName | Sort-Object Name)
Okta does not recommend mapping constructed AD attributes to an Okta profile if scheduled imports are used in the environment.
Related References
