Due to limitations in Active Directory, using AD LDAP filters for import across multiple domains may not yield the expected results. 

Example of AD LDAP filter:

(&(sAMAccountType=805306368)(!(physicalDeliveryOfficeName="New York"))(!(mail=*mydomain.com)(memberOf:1.2.840.113556.1.4.1941:= CN=My OKTA users,OU=OKTA Groups,DC=a,DC=domain,DC=com)))

In this example, if the user is not part of the mail domain (mydomain.com), the user will not necessarily be picked up by the last part of the filter (the recursive membership lookup "memberOf:1.2.840.113556.1.4.1941:="). Even if trust relationships exist across all domains and the Okta AD Agent is installed on all Domain Controllers (DCs), there is no guarantee that the memberOf  information will be available in the Global Catalog (GC).   

• Active Directory
• LDAP Filters
• Okta AD Integration

There are limitations to the Microsoft Active Directory Global Catalog (GC). Users from the local domain controller contain group memberOf information. Users from a foreign domain controller contain limited memberOf information because the global group information is not replicated to every domain controller.

To address this issue, use attributes that are readily available in the Global Catalog. 

• In this example, adding the user's mail domain <(mail=*mydomain.com)(mail=*adomain.com)> rather than relying on memberOf should capture the user in the filter.