Deleted Active Directory Group Fails to Show as Deleted in Okta After a Scheduled Import
Last Updated:
Overview
When a directory administrator deletes an Active Directory (AD) group, the group remains active in Okta following a scheduled incremental import because the import only scans for modified objects. Running a manual full import resolves this issue.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Directories
- Active Directory (AD)
- Scheduled Imports
Cause
Scheduled imports in Okta are incremental by default. During an incremental import, Okta runs an LDAP query to search for groups with a specific value for the uSNChanged attribute. This query limits the import to groups in synced organizational units (OUs) that have been modified since the last incremental import, and it excludes deleted groups.
Because an incremental import does not scan every object in an OU, Okta remains unaware of deleted objects. Review How AD Incremental Imports Work for additional details regarding incremental AD imports.
Solution
How is a deleted Active Directory group removed in Okta?
Initiate a manual full import from the Okta Admin Console to synchronize all directory objects and remove the deleted group.
- In the Okta Admin Console, navigate to Directory, and then select Directory Integrations.
- Choose the Active Directory integration.
- Select the Import tab.
- Select Import Now.
- Choose Full Import, and then select Import.
