<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
AD Imports Fail after tokenGroups Attribute is Mapped to Okta
Jan 28, 2025
Okta Classic Engine
Okta Identity Engine
Lifecycle Management
Directories
Overview

Bulk imports and Real-Time Sync actions will fail for a given AD instance if the tokenGroups attribute (or any of its forms) is added to the user profile of the AD instance.

In the admin UI, the import progress bar will stop, and the following error will appear:

An operations error occurred.

 

Image - Import - An operations error occurred

 

The same message should be visible in the AD agent logs.

2024/12/13 14:30:49.654-06:00 Error -- SERVER(5) -- Error processing READ_LDAP action
2024/12/13 14:30:49.654-06:00 Info -- SERVER   at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()
   at Okta.DirectoryServices.WrappedSearchResultCollection.<GetEnumerator>d__13.MoveNext()
   at Okta.DirectoryServices.ScanResult.<CreateScanObjects>d__17.MoveNext()
   at Okta.DirectoryServices.ScanResult.<GetChunks>d__19.MoveNext()
   at Okta.Action.Handler.ReadLdapActionHandler.Handle(ReadLdapAction ldapAction, ActionContext context, List`1 queries, LdapCursor cursor)
   at Okta.Action.Handler.ReadLdapActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Handler.MultiTypeActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Dispatch.MultiThreadedDispatcher.HandlerCallback(Object param)
System.DirectoryServices.DirectoryServicesCOMException received with message An operations error occurred.
 Source=System.DirectoryServices InnerException=.
2024/12/13 14:30:49.654-06:00 Info -- SERVER(5) -- Processing READ_LDAP action finished, (executionTime=00:00:00.0614791)
2024/12/13 14:30:49.654-06:00 Info -- SERVER(5) -- Sending action result (FAILURE) for action READ_LDAP
Applies To
  • AD Bulk Imports
  • AD Real Time Sync (RTS) actions
  • AD-sourced users
  • tokenGroups AD attribute
Cause

Since tokenGroups is a calculated attribute (meaning its value is calculated by the AD domain controller on-demand), bulk imports and RTS will fail for a given AD instance if the tokenGroups attribute is added to that AD user profile. The same is true for other variants of the tokenGroups attribute.

Solution

Check whether the AD user profile contains the tokenGroups attribute (or any of the variants):

  1. In the Okta Admin Console, navigate to Directory > Profile Editor.

  2. Select the Directory filter in the sidebar.

  3. Find the relevant AD instance and select Profile.

  4. Select the All filter in the sidebar.

  5. If the tokenGroups attribute (or any of the variants) exists in the Attributes list, remove them.

The tokenGroups attribute (and its derivatives) contains a list of SIDs pertaining to the group membership of a user. Any group membership information contained in the tokenGroups attribute (and its forms) is already reflected in Okta, so there should be no need to import these attributes.

 

Therefore, Okta has disallowed admins from adding the following attributes to AD user profiles via the Admin UI:

  • tokenGroups
  • tokenGroupsGlobalAndUniversal
  • tokenGroupsNoGCAcceptable
  • msds-tokenGroupNames
  • msds-tokenGroupNamesGlobalAndUniversal
  • msds-tokenGroupNamesNoGCAcceptable

Recommended content

Still looking for help?
Loading
AD Imports Fail after tokenGroups Attribute is Mapped to Okta