<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Active Directory Organizational Unit Change by Group Assignment Fails for Users Imported to Okta
May 8, 2026
Okta Classic Engine
Directories
All Engines
Okta Identity Engine
Overview

When Okta initially imports an Active Directory (AD) user, adding the user to a group that points to a new Organizational Unit (OU) in AD fails to move the user into that OU. This occurs because imported users have an individual assignment type that Okta cannot convert to a group assignment type. Disconnect the user from AD and reassign the user via a provisioning group to update the user's assignment type and successfully change the OU.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Directories
  • Active Directory (AD)
Cause

Users that Okta originally imports from AD have the Individual assignment type, whereas users that Okta originally provisions to AD via group membership have the Group assignment type. Converting the Individual assignment type to a Group assignment type is not possible. Therefore, the OU of the assignment group does not apply to a user with an Individual assignment type.

 

To submit a request for a feature release, refer to How to Submit a Feature or Enhancement Request using Okta Ideas. Engineering closely monitors this page to filter and consider ideas for future implementation.

Solution

How is an imported Active Directory user reassigned to a new Organizational Unit via a group?

 

To change the user's assignment type from Individual to Group and allow OU updates via AD assignment group in Okta, temporarily disable the deactivation provisioning setting, disconnect the user from Active Directory, and reassign the user via a provisioning group.

NOTE: Do not perform the steps below if the user belongs to an Active Directory group that assigns applications in Okta, as the application assignments will be removed.

 

  1. Select Directory, then select Directory Integrations.
  2. Open the appropriate AD instance, select Provisioning, and then select To App.
  3. Select Edit.
    Provisioning
  4. Scroll to Deactivate Users, clear the checkbox next to Enable, and select Save.
    Deactivate Users
  5. Disconnect the user from Active Directory by following the instructions in Disconnecting Users From Active Directory.
  6. Assign the user to the provisioning group in Okta to push the user back to AD. The user now has a group assignment and resides in the correct OU.
  7. Re-enable the Deactivate Users setting modified in step 4.

Recommended content

Still looking for help?
Loading
Active Directory Organizational Unit Change by Group Assignment Fails for Users Imported to Okta