An error occurs when Okta attempts to provision or update a user in Active Directory (AD) because the Okta AD Agent service account lacks the required permissions. To resolve this issue, grant the minimum required permissions to the service account and restart the AD agents. When an automatic profile push occurs, Okta fails to create or update the user successfully in AD and generates the following error:

Access is denied

The following errors appear in System Logs and Okta AD Agent logs:

System Log Example: Provision AD user

AD Agent log example: Provision AD user

2024/08/26 11:22:46.266-05:00 Info -- SERVER(4) -- Starting processing of WRITE_OBJECT action rpc::app.active_directory.agent.reply.ok12-jobecs01b.auw2-ok12.internal//1724689396277//b6d2680f47ac9f2671f5d197f43f5abb:a0344202-8ced-4de1-b0f6-f76b538318fe:.
2024/08/26 11:22:46.266-05:00 Info -- SERVER(8) -- GetResponse starting, CurrentConnections:3, ConnectionLimit:10, Timeout:33000, ReadWriteTimeout:300000, KeepAlive:True, ConnectionLeaseTimeout:300000.
2024/08/26 11:22:46.282-05:00 Info -- SERVER(4) -- Creating CN=Grant Imahara,ou=renamed users,ou=org,dc=domain,dc=lcl with schemaClass user
2024/08/26 11:22:46.282-05:00 Verbose -- SERVER(4) -- Action:[WRITE_OBJECT], Type:[CREATE] for TargetDN:[ou=users,ou=org,dc=domain,dc=lcl] as User:[CN=Grant Imahara]
[...]
2024/08/26 11:22:46.297-05:00 Error -- SERVER(4) -- Error processing WRITE_OBJECT action rpc::app.active_directory.agent.reply.ok12-jobecs01b.auw2-ok12.internal//1724689396277//b6d2680f47ac9f2671f5d197f43f5abb:a0344202-8ced-4de1-b0f6-f76b538318fe:
2024/08/26 11:22:46.297-05:00 Info -- SERVER   at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()
   at System.DirectoryServices.DirectoryEntry.CommitChanges()
   at Okta.DirectoryServices.ActiveDirectoryAdapter.CommitChanges(IDirectoryEntry entry, IEnumerable`1 attributeChanges)
   at Okta.DirectoryServices.ActiveDirectoryAdapter.CreateObject(String targetDN, String cn, String schemaClass, List`1 properties)
   at Okta.Action.Handler.WriteActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Handler.MultiTypeActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Dispatch.MultiThreadedDispatcher.HandlerCallback(Object param)
System.UnauthorizedAccessException received with message Access is denied.
 Source=Active Directory InnerException=.

System Log example: Update AD user

AD Agent log example: Update AD user

2024/08/26 11:49:10.125-05:00 Info -- SERVER(8) -- GetResponse starting, CurrentConnections:3, ConnectionLimit:10, Timeout:33000, ReadWriteTimeout:300000, KeepAlive:True, ConnectionLeaseTimeout:300000.
2024/08/26 11:49:10.125-05:00 Info -- SERVER(3) -- Modifying object at DN <GUID=36207899-8479-42EB-BC0C-5A5E1876352E>
2024/08/26 11:49:10.140-05:00 Verbose -- SERVER(3) -- Action:[WRITE_OBJECT], Type:[MODIFY] move from targetDN:[<GUID=36207899-8479-42EB-BC0C-5A5E1876352E>] to moveToDN:[] for User:[CN=David Clark]
[...]
2024/08/26 11:49:10.140-05:00 Error -- SERVER(3) -- Error processing WRITE_OBJECT action rpc::app.active_directory.agent.reply.ok12-jobecs03c.auw2-ok12.internal//1724690980175//07da1b71526ceb083d187844607e57fa:2eadf98e-37de-49fd-b1bc-c952167fd6b5:
2024/08/26 11:49:10.140-05:00 Info -- SERVER   at System.DirectoryServices.Interop.UnsafeNativeMethods.IAdsContainer.MoveHere(String sourceName, String newName)
   at System.DirectoryServices.DirectoryEntry.MoveTo(DirectoryEntry newParent, String newName)
   at Okta.DirectoryServices.ActiveDirectoryAdapter.MoveObject(IDomain domain, IDirectoryEntry entry, String moveToDN, String newCN)
   at Okta.DirectoryServices.ActiveDirectoryAdapter.ModifyObject(String targetDN, String moveToDN, String newCN, List`1 propertyChanges)
   at Okta.Action.Handler.WriteActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Handler.MultiTypeActionHandler.Handle(AgentAction action, ActionContext context)
   at Okta.Action.Dispatch.MultiThreadedDispatcher.HandlerCallback(Object param)
System.UnauthorizedAccessException received with message Access is denied.
 Source=Active Directory InnerException=.
2024/08/26 11:49:10.140-05:00 Info -- SERVER(3) -- Processing WRITE_OBJECT action (id=rpc::app.active_directory.agent.reply.ok12-jobecs03c.auw2-ok12.internal//1724690980175//07da1b71526ceb083d187844607e57fa:2eadf98e-37de-49fd-b1bc-c952167fd6b5:) finished, (executionTime=00:00:00.0109508)
2024/08/26 11:49:10.140-05:00 Info -- SERVER(3) -- Sending action result (FAILURE) for action WRITE_OBJECT 

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Active Directory (AD)
• Provisioning

The Okta AD Agent service account does not have the required permissions within AD.

How is the Access is Denied error resolved during an Active Directory profile push?

To resolve the error, verify the service account permissions in the destination organizational unit and restart the agents to apply the changes.

1. Ensure that the AD service account has the minimum required permissions within the destination Organizational Unit (OU) in AD for all attributes that Okta updates.
2. Restart the AD agents to apply the new permissions.

Related References

• Okta service account permissions

• Okta Active Directory Agent Service Account Permissions Requirements