This article describes the permissions needed to move users between OUs that are connected to Okta through directory linked groups.
When a user is a member of multiple directory linked groups, the priority of the group in the Assignment tab will dictate which OU the user is created in. When a user is removed from a group with a higher priority, Okta will attempt to remove the user from the connected OU and create them in the OU connected to the current highest priority group that the user has membership to. If the Okta AD Agent service account does not have sufficient permissions, the user will not be moved, and an Access Denied error will be displayed on the user's profile.
- Okta Provisioning Groups
- Active Directory (AD)
- Move users between OUs
The Access Denied error is caused by insufficient privileges for the service account used by the Active Directory Agent.
For the Okta Active Directory Agent service account to move users between OUs, the account will need the following permissions:
Provision User
- Requires Create Child permission for user objects on the target Organizational Unit (OU).
- Requires the Reset Password control access right for user objects within the target OU.
- Requires write property permissions on user objects within the target OU for the following attributes:
- userPrincipalName
- SAMaccountName
- givenName
- sn
- userAccountControl
- pwdLastSet
- lockoutTime
- cn
- name
- Requires write property permissions on user objects within the target OU for all other attributes mapped on the AD user profile in Okta. Mappings are listed under Directories at
https://<org>/admin/universaldirectory.
Delete User
- Requires delete child permissions for user objects on the target OU.
