When an administrator disables an Active Directory (AD) account and moves it to an unsynchronized Organizational Unit (OU), Okta does not deactivate the user during a scheduled incremental import because the import does not scan out-of-scope OUs. To resolve this issue, administrators must run a manual full import or avoid moving disabled users to unsynchronized OUs before an import runs.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Active Directory (AD)
Scheduled AD imports in Okta are incremental by default. When an incremental import runs, Okta executes an LDAP query to search for users with a specific value for the uSNChanged attribute and only in the OUs designated for the Okta import scope. This limits the import to users in synchronized OUs that have been modified since the last import.
If an administrator moves a user to an OU in AD that is not selected in Okta, an incremental import does not detect this change. An incremental import does not scan every object in an OU, leaving Okta unaware of objects moved outside the OU.
In scenarios where Okta imports users from AD via Just-In-Time (JIT) provisioning and the administrator enables "Skip Users During Import" Okta deactivates users via JIT only when the user attempts to sign in, or an administrator refreshes the user profile on the People page.
How does an administrator ensure Okta deactivates a disabled AD user after moving the AD account to an unsynchronized OU?
Initiating a manual full import or retaining the disabled user in a synchronized OU allows Okta to detect the directory changes and correctly deactivate the user account.
-
Maintain the disabled user in a synchronized OU until the scheduled import executes.
-
Run a manual full import from the Okta Admin Console.
