<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VCsSANOkta Classic EngineLifecycle ManagementAnswered2024-04-17T13:45:14.000Z2016-09-08T01:31:33.000Z2018-08-12T04:16:09.000Z

rsjy6 (rsjy6) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
WDaaM Provisioning AD accounts

Hi,

 

We're working on a project at the moment, where we intend to switch over the master to Workday, currently its AD. 

When we cutover the expectation is that Okta will create and manage AD accounts that are mastered by WD. There are a few things I'm not clear on, firstly is it possible to specify the destination OU based on attributes without relying on Workday provisioning groups? secondly if a user is provisioned in an OU - lets say sales - then someone moves them to a different OU - we'll go with finance - will Okta then move them back from finance to sales? or is the OU a once off and not updated like attributes are? 

 

Thanks,

Lawrence

  • 3 answers
  • 928 views

  • cody.suders1.3982070751843718E12 (Okta, Inc.)

    Yes it is possible to use Okta's dynamic groups to assign AD OUs instead of Workday provisoining groups.

     

    And no, Okta does not have the ability to move accounts from one OU to another.  The OU assignment only applies to where newly provisioned users are created.
    Selected as Best

  • cody.suders1.3982070751843718E12 (Okta, Inc.)

    Yes it is possible to use Okta's dynamic groups to assign AD OUs instead of Workday provisoining groups.

     

    And no, Okta does not have the ability to move accounts from one OU to another.  The OU assignment only applies to where newly provisioned users are created.
    Selected as Best

  • miqxq (miqxq)

    @Lawrence - we are using a combination of Workday attributes (pushed from WD->Okta->AD) and a Powershell script to put new users in departmental OU's as well as to add them to AD Groups which in turn are used in Otka to assign applications. The sript triggers when a new account is created in AD by the Okta Service account. 

     

    For users that change departments, etc. - that gets a bit trickier. We are doing that manually for now but I am looking into ways to automate it. I will likely start with a script that monitors for changes to attributes and sends an alert email. Moving them to the new departmental OU automaticall would be easy enough...but adding and particularly removing applications is messier due timing of the move, etc. 

     

    Feel free to let me know if you have questions. 

     

    --Eric
    Expand Post

  • rsjy6 (rsjy6)

    Thanks Eric - I had already considered that, though trying not to overload myself with a big list of scripts to create for the project. 🙂
This question is closed.
Loading
WDaaM Provisioning AD accounts