• Directories
• Active Directory

To determine whether an Active Directory (AD) user is active during an import, Okta evaluates the userAccountControl attribute of the user object. The AD user must be in a disabled state (userAccountControl value of ACCOUNTDISABLE) for Okta to recognize the AD account as disabled and to take any action on the Okta user specified in the directory provisioning configuration.

• When an Active Directory account expires because its "Account expires" date has passed, the userAccountControl value remains unchanged, and the object is not classified as disabled. However, an account in this state will be prevented from authenticating to Okta via Delegated Authentication due to its expired status.

 

• When an Active Directory account is disabled, the value for userAccountControl is updated, prompting Okta to deactivate the account during the next sync or import.

Disable the expired AD account and perform an import in Okta. The AD user account will be recognized as disabled, and any Okta user action specified in the directory provisioning settings (deactivation or suspension) will be performed.

Alternatively, if the AD account cannot be disabled, options include:

• Move the AD account to an OU that is not synced with Okta, and then perform a full import.
• Contact Support to enable the EA feature to allow LDAP filters to be applied during imports and specify a user LDAP filter that excludes accounts in an expired status. NOTE: The improper use of an LDAP filter has the potential for unintended behavior, including mass deprovisioning of users. Support cannot assist with the syntax or testing of LDAP filters.