<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008RLnwzCADOkta Identity EngineDirectoriesAnswered2024-04-16T09:59:39.000Z2022-11-24T12:21:13.000Z2022-11-28T11:38:03.000Z

62h5y (62h5y) asked a question.

November 24, 2022 at 12:21 PM
Create AD user based on Region and Department Okta user Attributes

Hi,

how can i set Okta up to create/provision users to a specific OU in AD based on the attributes that are defined in Okta user profile without setting up dozens of Okta groups with directions to the AD OU.

 

my AD looks like this

OU=User

-OU=Region

--OU=NewYork

--OU=DC

-OU=APAC

--OU=Tokyo

--OU=HongKong

-OU=EU

--OU=Berlin

--OU=London

 

i tried using the expression language for the DN mapping under Okto to AD

but this did not work as it seems like the AD accounts are only created when they are assigned to a Group that are linked to a specific OU in AD. but what if I wanted to go with a more dynamic approach then maintaining groups that are "hard linked" OU

 

  • 2 answers
  • 549 views

  • DonF.81354 (Customer)

    Hi! For better or worse, I can also confirm that you would have to tie each group to its respective location in AD. You can, however, ease this management with the use of group rules to automatically assign your users to a particular group based on criteria of your choosing. Although this does not alleviate the need for the initial setup of these groups (creating, tying to OU, etc), it could allow you to automate user assignment thus saving time and effort in the long term. You could use a rule to send say someone with country code of US to your US group tied to your US OU, and so on. Same for city, department, etc. hope that helps!

    Expand Post
    Selected as Best

  • flaviu.vrinceanu1.5628408972654734E12 (Customer Success Service Delivery)

    Hi @62h5y (62h5y)​,

     

    Thank you for posting on the Okta community page!

     

    I have done some research but unfortunately I wasn't able to find another way in which you could push users from Okta to AD without using groups, therefore if you would like to have another functionality, I assume that you could submit a feature request. The best way to file a feature request would be from the community site.

     

    Once feature requests are submitted they are visible to other Okta admins, who can vote on them to provide more visibility. Using this method will allow you to maintain visibility on your feature requests throughout the process.

     

    ------------------------------------------------------------------------------------------------------------------------------------------------

    The Okta Community November newsletter is here. Get product updates and see our top contributing members.

    Expand Post

  • DonF.81354 (Customer)

    Hi! For better or worse, I can also confirm that you would have to tie each group to its respective location in AD. You can, however, ease this management with the use of group rules to automatically assign your users to a particular group based on criteria of your choosing. Although this does not alleviate the need for the initial setup of these groups (creating, tying to OU, etc), it could allow you to automate user assignment thus saving time and effort in the long term. You could use a rule to send say someone with country code of US to your US group tied to your US OU, and so on. Same for city, department, etc. hope that helps!

    Expand Post
    Selected as Best
This question is closed.
Loading
Create AD user based on Region and Department Okta user Attributes