<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00008MuUCDSA3Okta Classic EngineLifecycle ManagementAnswered2026-04-01T09:00:20.000Z2020-04-26T05:29:50.000Z2020-04-29T04:20:37.000Z

j8nga (j8nga) asked a question.

April 26, 2020 at 5:29 AM
AD User Provisioning - Automatic provisioning of user xxxx to app Active Directory failed: Error provisioning active_directory user: Access is denied.

Hi,

 

So I have setup my Okta org and Active Directory. AD agent installed successfully and everything appears to be alright. AD to Okta works perfectly fine no problem. OktaService (Service account) is in the Domain Admin group (which is ideally not required but for test purposes.

 

I still am getting Access code 5 - Denied when I assign AD to newly created Okta users which I am getting from an HR system (My amazing csv flat file). I need for these to be created on AD and that's when i am running into this.

 

What am I missing here?

  • 6 answers
  • 6.31K views

  • k5fuw (k5fuw)

    Out of curiosity, did you install the Okta AD agent on the domain controller? Reading through this thread, I was wondering if it was just a matter of the order of the steps you took. If you installed the AD agent, then added the service account to the Domain Admins group, it makes sense that you would get errors because you would have needed to restart the Okta AD agent before it would have gained the Domain Admins rights (group memberships are only evaluated at sign in). And if the Okta AD agent is installed on the domain controller, rebooting the DC would also restart the Okta AD agent service, also resulting in the service account's elevated privileges.

    Expand Post
    Selected as Best

  • 2gfue (2gfue)

    Did you check permission of service account ? It has permission to create user ?

    How you are assigning AD to the newly created user ?

    • Best way to achieve AD provisioning, you first need to create a group in Okta and then assign that group to your AD instance. When users are added to the group, they are also created in AD.

    Also, i am hoping Create Users is enable in Directory Integrations. setting.

    https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-configure-provisioning.htm

    Expand Post

  • j8nga (j8nga)

    Hi Saurabh,

     

    Yes - for test purposes the OktaService account has been added to the Domain Admins group.

    AD is being assigned using Okta Groups. This is when they attempt being provisioned and I get that error above.

    Create user is enabled. I see the user creation being attempted and then I get an Error code 5 - Access is Denied.

     

    I have provisioned the AD Agent and the Okta side as per Okta docs. Import worked just fine and so does update/password sync.

     

    Regards,

    Expand Post

  • 2gfue (2gfue)

    If you search this error on microsoft, this is very common permission related issue not specific to OKTA. Import or password updates are different operations, iIam hoping the service account which you are using don't have enough permission to create user. Have you enabled debug log on agent -

    On okta agent update below setting - OktaAgentService.exe.config

     

    <add key="VerboseLogging" value="False" />

    change to

    <add key="VerboseLogging" value="True" />

     

    Also, can you try to create user in AD via login to that service account manually.

     

    Thanks

     

     

    Expand Post

  • j8nga (j8nga)

    Hi @2gfue (2gfue)​ 

     

    Thanks a lot! The issue is fixed now. Guess what worked? I restarted the DC. Okta to AD seemed to work magically, no changes made. Sigh. MS and its endless ability to fix itself upon reboots never ceases to amaze me.

  • k5fuw (k5fuw)

    Out of curiosity, did you install the Okta AD agent on the domain controller? Reading through this thread, I was wondering if it was just a matter of the order of the steps you took. If you installed the AD agent, then added the service account to the Domain Admins group, it makes sense that you would get errors because you would have needed to restart the Okta AD agent before it would have gained the Domain Admins rights (group memberships are only evaluated at sign in). And if the Okta AD agent is installed on the domain controller, rebooting the DC would also restart the Okta AD agent service, also resulting in the service account's elevated privileges.

    Expand Post
    Selected as Best

  • j8nga (j8nga)

    You know what Mike? That makes absolute sense cause that is EXACTLY what I did. Bummer.

This question is closed.
Loading
AD User Provisioning - Automatic provisioning of user xxxx to app Active Directory failed: Error provisioning active_directory user: Access is denied.