This article provides troubleshooting steps for an issue where an Incremental Import from Active Directory (AD) into Okta reports “0 users scanned,” even though a user in AD has been updated. Consequently, the user's updated profile information is not imported into Okta. Full Imports successfully update the user.
- Active Directory (AD)
- Okta Active Directory Agent
- Incremental Imports
- User Profile Updates
The root cause of this issue can be that the Okta AD Agent's service account has insufficient read permissions on the Active Directory objects.
Details:
-
Incremental Imports rely on the
uSNChangedattribute in Active Directory to identify users whose profiles have been updated since the last import. -
The AD Agent performs an LDAP query targeting users whose
uSNChangedvalue falls within the range of the last successful import and the current import start time.-
Example Query structure:
(&(&(objectClass=user))(uSNChanged>=X)(uSNChanged<=Y))
-
-
If the AD service account has limited read permissions and is unable to view the
uSNChangedattribute value, Okta cannot determine that the user has been updated. -
As a result, the user is not scanned during the Incremental Import, leading to the “0 users scanned” result for that specific Domain Controller scan.
-
Full Imports successfully update the user because they do not rely on the
uSNChangedattribute to detect changes; they scan and process all synchronized users.
NOTE: If user attributes are not updating during an Incremental Import, and the service account permissions are correct, the issue may be related to constructed attributes. Changes to constructed attributes (whose values are calculated on demand by AD) do not update the uSNChanged value, and thus are not detected by Incremental Imports.
The solution is to ensure the Active Directory service account used by the Okta AD Agent has sufficient read permissions for all synchronized AD objects, specifically the uSNChanged attribute.
- Test Service Account Read Permissions
To confirm if the Okta AD service account can read the necessary attribute, perform the following test:
-
- Open Active Directory Users and Computers (ADUC) as the Okta Service Account.
- Ensure Advanced Features are enabled in the ADUC View menu.
- Navigate to and open the properties of a user who failed to update during an incremental import.
- Select the Attribute Editor tab.
- Locate the
uSNChangedattribute. - If the Value column for
uSNChangedis not displayed (for example, it is empty or shows<Not Set>), the service account is confirmed to be lacking sufficient read permissions for this critical attribute.
- Verify and Update Service Account Permissions
Ensure the Okta AD Agent service account has the necessary permissions.
-
- The service account must have Read all permissions for all synchronized AD objects (Users, Groups, Organizational Units).
- Consult with Active Directory administrators to confirm the service account has the Read Property permission specifically for the
uSNChangedattribute on the relevant user objects. - After adjusting permissions, restart the AD Agent service on all AD Agent servers. This will ensure the new permissions take effect.
- Force a Full Import to Resolve Pending Updates
Once the permissions are confirmed and corrected, an administrator should run a Full Import to ensure any pending updates missed by previous incremental imports are processed.
-
- Log in to the Okta Admin Console.
- Go to Directory > Directory Integrations.
- Select the relevant Active Directory integration.
- Navigate to the Import tab.
- Click Import Now.
- Select the Full Import option.
- Click Import.
- Test Incremental Import
After the Full Import is complete and the service account permissions are verified:
-
- Update an attribute for a test user in Active Directory.
- Run an Incremental Import in Okta.
- Verify that the import results show a value greater than "0 users scanned" and that the test user's Okta profile is successfully updated.
