<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
User Profile Push Fails with Error "failed application.provision.user.push_profile"
Oct 28, 2025
Okta Classic Engine
Directories
Okta Identity Engine
Overview

This article explains how to troubleshoot an Active Directory User Push failure, in which the AD Agent logs report:

 

Could not locate entry with DN.

 

Example of Active Directory (AD) Agent Logs

Could not locate entry with DN <GUID=83781D58-4274-40D1-BC45-1B7483EDA7C7>

 

Example of System log entry:

  • A User Profile Push to Active Directory fails with the error:

 

failed application.provision.user.push_profile (see screenshot below) 

 

Error Message  

 

Applies To
  • Active Directory
  • Profile Push
Cause

When provisioning a user to Active Directory, some attributes may be missing, or a Group may be excluded from the provisioning scope.  

See the Missing Manager attributes example documented in Active Directory Provisioning Error "There is no such object on the server".

Solution

To track down the source of the problem: 

  1. Search for the GUID in Active Directory to confirm the user exists.
  2. Check the Organizational Unit (OU) Context to confirm Okta is looking in the correct location.
  3. Check the Attributes being changed to confirm that the changes are valid.

 

Search for the GUID

Searching by GUID in AD requires that the LDAP query be formatted in a certain way.  Specifically, it needs to be a byte array in hex, delimited with a backslash, so the GUID in the example above would need an LDAP query like this:

(&objectGUID=\58\1D\78\83\74\42\D1\40\BC\45\1B\74\83\ED\A7\C7)

This would represent the user's account's objectGUID. Check all AD (Active Directory) DCs (Domain Controllers) to see if there is a replication issue.  

 

Check the OU Context

After checking that the account exists, ensure it is in the correct OU where Okta expects to find it. To check which OU Okta thinks it is in, go to the group being used to provision the user to AD, select the Directories tab, and scroll down to see which OU is selected.

Import Settings  

 

Check the Attributes being changed

To see what attribute values are being passed, enable Verbose logging for the Okta AD agents by following the section on how to enable verbose logging from the How to Retrieve Okta Agent Logs for Troubleshooting article.

That will capture the attributes that the agent is trying to change and their values. Once the issue has been reproduced, collect the logs and search for this:

Modifying object at DN <GUID=83781D58-4274-40D1-BC45-1B7483EDA7C7>

Following the above line, there will be a list of the changes.  Confirm that the changes are correct and no errors are returned.  Make modifications as necessary. 

Verbose mode can be disabled again once the logs have been captured.

Recommended content

Still looking for help?
Loading
User Profile Push Fails with Error "failed application.provision.user.push_profile"