I am running a one way sync and provision from OpenLDAP to AD. Everyhting is working correctly :). Except... if I delete an account from OpenLDAP, it is not removed from AD... this is desired. I want to disable the AD account if it is deleted from OpenLDAP. However, if I then delete that account from AD, it repopulates into AD after the next Export routine. I think it stays alive somewhere in the FIM Portal, but can't figure out how to kill it in the FIM environment. I'd need to be able to delete an account in OpenLDAP and have it removed from FIM, but not delete in AD. Any ideas on if/how that can be accomplished? Thank you in advance for the help! Robert

You can find a detailed description of the conceptual background in Understanding Deprovisioning in FIM. The simplest method to accomplish what you are looking for requires a configuration of the Object Deletion Rule and Deprovisionig. You need to configure the object deletion rule to delete a metaverse object when disconnected from your OpenLDAP MA. On your FIM MA, you need to set deprovisioning to Stage a delete on the object for the next export run. AD MA, you need to set deprovisioning to Make them disconnectors. The tradeoff with this approach is that you will have to periodically remove orphaned ExpectedRuleEntry objects from your environment. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Thank you! Exactly what I was loooking for. Robert

Thanks Markus for the help. It resolved my issue too. Let me brief my scenrio as its different than the one posted here. I have FIM connected to an external source which is AD DS in my case. I was able to add new user to FIM from AD, but when I was deleting user objects from AD, those were not being removed from FIM. After following your instructions, the user objects are being added or deleted once the action is taken on AD. Thank youNetwork Engineer