Scheduled Active Directory (AD) incremental imports fail to synchronize certain attributes, although these attributes update successfully during a full manual import. This occurs because constructed AD attributes do not update the uSNChanged attribute when modified, causing the incremental import to skip the object. Okta does not recommend mapping constructed AD attributes to an Okta profile when using scheduled imports.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Active Directory (AD)
- Incremental Imports
Certain AD attributes that function as constructed attributes do not update the uSNChanged attribute of an AD object when modified. As a result, the incremental import does not scan the object after a change to a constructed attribute. Constructed attribute values are computed based on other attributes and objects.
How are constructed Active Directory attributes identified and managed?
Okta does not recommend mapping constructed AD attributes to an Okta profile if the environment uses scheduled imports.
Execute the following PowerShell command to determine which attributes are constructed in the AD Schema.
(Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter “(&(systemFlags:1.2.840.113556.1.4.803:=4)(ObjectClass=attributeSchema))” | Select-Object Name,DistinguishedName | Sort-Object Name)
