<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Accounts are Not Deactivated when Active Directory Accounts Expire
May 15, 2026
Lifecycle Management
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Okta accounts remain active when Active Directory (AD) accounts expire because the userAccountControl attribute does not change to a disabled state. Resolve this issue by manually disabling the expired AD account, moving the account to an unsynced Organizational Unit (OU), or applying an LDAP filter to exclude expired accounts during imports. When an AD account expires, the user cannot authenticate to Okta via Delegated Authentication, but the Okta account remains active.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Directories
  • Active Directory (AD)
Cause

To determine whether an AD user is active during an import, Okta evaluates the userAccountControl attribute of the user object. Okta requires the AD user to have a disabled state (a userAccountControl value of ACCOUNTDISABLE) to recognize the AD account as disabled and to perform the action that the directory provisioning configuration specifies.

 

When an AD account expires because the account expiration date passes, the userAccountControl value remains unchanged, and the object is not classified as disabled. An account in this state fails to authenticate to Okta via Delegated Authentication due to the expired status, but Okta does not deactivate the account.

Active DirectoryActive Directory

 

When an administrator explicitly disables an AD account, the value for userAccountControl updates, prompting Okta to deactivate the account during the next sync or import.

Active Directory

Solution

How is the issue of Okta accounts not being deactivated when Active Directory accounts expire resolved?

 

Trigger the deactivation by disabling the expired AD account and performing an import in Okta. Okta recognizes the AD user account as disabled and performs the action specified in the directory provisioning settings, such as deactivation or suspension.

 

If disabling the AD account is not possible, resolve the issue by choosing one of the following alternative methods.

  • Move the AD account to an OU that does not sync with Okta, and then perform a full import.
  • Contact Support to enable the Early Access (EA) feature that allows LDAP filters during imports, and specify a user LDAP filter that excludes accounts in an expired status.

 

NOTE: Improper use of an LDAP filter can lead to unintended behavior, including mass user deprovisioning. Support cannot assist with the syntax or testing of LDAP filters.

Recommended content

Still looking for help?
Loading
Okta Accounts are Not Deactivated when Active Directory Accounts Expire