PhoenixB.21381 (Customer) asked a question.
I have an interesting scenario that I'd like to solicit input from the broader Okta admin community on. As the title suggests, I have a use case where an Active Directory group is in an OU being imported into Okta, which contains a nested AD group, but where the nested group is in an OU that is not being imported into Okta. The use case here being that our AD environment has loose groups in the top-level OU that must not be imported into Okta, thus preventing us from importing the top-level OU with those groups, but it also includes groups that would be worth having.
The solution we tried was to create the second group in an OU that was being imported, but Okta doesn't seem to be able to recognize the nested group. While we could schedule a task to replicate users into the second group with some automation on our local servers, I'd like to find something that future admins won't have to hunt for. Am I missing any options in Okta? Is there a way to import individual groups when the OU it is in isn't being imported? Moving the groups isn't an option because we know that there are some dependencies that require the OU's DistinguishedName remain the same. It seems like the legacy decisions of my org are boxing me into a corner, here.
Hello @PhoenixB.21381 (Customer) Thank you for posting on our Community page!
At this time this is not possible, in order to import a group into Okta from AD the OU they are a part of needs to be selected in the import section.
You can check our doc on how we handle Nested groups below:
https://support.okta.com/help/s/article/How-does-Okta-handle-nested-groups?language=en_US
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Join the discussion for our Ask Me Anything on January 20, 2026: Adoption of Stronger Authentication MFA. Ask our expert questions.