After an account is moved to an Organizational Unit (OU) in Active Directory (AD) that is not synced with Okta, the user is not deactivated in Okta as expected after a scheduled import. If the account is disabled and moved to an unsynchronized OU before a scheduled import is run, the user will not be deactivated in Okta.
- Directories
- Active Directory (AD)
Scheduled imports are incremental by default.
- When an incremental import is performed, Okta runs an LDAP query to search for users with a specific value for the attribute uSNChanged. This limits the import to users in synced OUs that have been modified since the last incremental import.
- See How AD Incremental Imports Work for more information on incremental AD imports.
If a user is moved to an OU in Active Directory that is not selected in Okta, an Incremental Import will not see this change.
- This is because an incremental import does not scan every object in an OU, so it is unaware of objects moved outside the OU.
In a scenario where users are imported into Okta from AD via Just-In-Time (JIT) provisioning and "Skip Users During Import" is enabled, the only way that users can be deactivated is via JIT when the user tries to sign in or an Okta Admin loads or refreshes the user's profile on the People page.
Do not move the disabled user to an out-of-scope OU before an import runs or run a manual Full Import from the Okta Admin dashboard.
