<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Campaign Access Review Unable to Revoke User From AD Group "...because the agent did not have sufficient permissions to execute the action"
Feb 10, 2026
Identity Governance
Okta Classic Engine
Okta Identity Engine
Overview

When running an Access Certifications Resource Campaign that has an Active Directory (AD)-sourced group as a resource, and after revoking access, the user was not removed from the AD Group, with the Campaign Summary showing Manual Remediation, and with the following error:

 

The user could not be automatically removed from this group in the source because the agent did not have sufficient permissions to execute the action.

 

AD Group Bi Directional Testing

The same root cause may apply if attempting the removal via an API call using /api/v1/directories/{appInstanceId}/groups/modify from the Directories Integration documentation, and the response is similar to: 

 

 "body": {
    "errorCode": "E0000006",
    "errorSummary": "You do not have permission to perform the requested action",
    "errorLink": "E0000006",
    "errorId": "oaecDQwp03zTo-AT6Jp1eCFhw",
    "errorCauses": []
  },
  "message": "403 Forbidden",
 
 
In System Logs, the AD Agent may show up with a FAILURE error:
Error: System.UnauthorizedAccessException: Access is denied. at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChanges() at Okta.DirectoryServices.ActiveDirectoryAdapter.ProcessMemberInLoop(String path, WriteAttribute property) updating membership for user: <GUID=USERGADUIDHERE> group: LDAP://DOMAIN.TLD/<GUID=GROUPADGUID> action: REMOVE
Applies To
  • Okta Identity Governance (OIG)
  • Access Certification Resource Campaign
  • Campaign Remediation with AD Bidirectional Group Management
Cause

The AD Agent does not have the needed permissions in AD to remove the user(s) from the group. This may occur if Push Groups are not leveraged with the AD Integration.

Solution

In order for this to work, the service account used for the Okta AD Agent needs to have its permissions set to the items under the Group Push functionality section at Okta service account permissions:

  • Requires Create Child permissions for group objects on the target OU.
  • Requires Delete Child permissions for group objects on the target OU.
  • Requires Write Property permissions on group objects within the target OU for the following attributes:
    • sAMAccountName
    • description
    • groupType
    • member
    • cn
    • name

 

Related References

Recommended content

Still looking for help?
Loading
Campaign Access Review Unable to Revoke User From AD Group "...because the agent did not have sufficient permissions to execute the action"