Moving Imported AD-Sourced Okta Users to a New AD OU

Moving the Active Directory (AD) account of an AD-sourced Okta user to a new Organizational Unit (OU) triggers specific behaviors in Okta during the next import. Depending on whether the AD integration settings include the new OU, Okta either updates the user profile attribute or applies the configured Profile and Lifecycle provisioning settings.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Directories
• Active Directory (AD)
• Imports to Okta

What happens when an AD-sourced Okta user is moved to a new AD OU?

When Okta imports users from AD, and an administrator moves the users from one AD OU to another, Okta processes the change during the next import. Review the following scenarios to understand how Okta handles the user account:

• If the AD integration in Okta includes the new OU, the activation status of the user remains unchanged. Okta updates the appUser.dn (distinguishedName) profile attribute of the user to reflect the new OU.

• If the AD integration in Okta excludes the new OU, Okta applies the configured Profile and Lifecycle provisioning settings. Depending on these settings, Okta deactivates the user, suspends the user, or removes the user from the AD integration during a Full Import or a Real-Time Sync event.

NOTE: An incremental import does not detect the movement of a user to an out-of-scope OU. See How does Okta handle users and groups that are moved to an out-of-scope OU? for more information.