I've created a security group within FIM which is criteria-based that includes all the users that haven't registered for SSPR (Password Reset). When I click on the View members, it has the correct individuals in there. When the Synchronizaiton occurs and someone new needs to be added to that group, the built in account goes ahead and manuall adds them...the problem is that when it does that, those new accounts are now the only members and it changed the type of group to Manually Managed....which I don't want. I want the group to STAY criteria-based and any new folks would simply meet that criteria. How do I get FIM to quit changing the type of group it is?

Bump....I really need an answer to this as now every 15 mins, when we kick off a Delta synch, it changes or updates the membership to Manual from Criteria based. Anybody?

Hi there - There's nothing in the default configuration in FIM which would programmatically change group membership from criteria-based (dynamic group) to manually managed (static group). My recommendation is to begin by looking at requests which have the group in question as the target of the request. If you see any unexpected requests, that's a good place to follow up the investigation; for example if you see a request which updates the MembershipLocked attribute of the group, or adds explicit members to the group, that points toward the problem. Also - what is the filter definition for membership in this group? Cheers, --Jeff.

Thanks Jeff, This group was created inside FIM to be provisioned to Active Directory and change its membership based on the filter criteria I will post below. No other requests of any type are being made on this group whatsoever. The only reason for its existence is to use the group as it's updated in AD to apply rules. Inside the FIM environment, there isn't anything happening with it, except for the changing membership based on criteria and the synchronization that would happen naturally between FIM > MV > AD. Select User that match all of the following conditions: AuthN Workflow Registered not contains Password Reset AuthN Workflow AND a few other last name and custom attributes qualifiers relative to our environment. Thats all.

Hi There, I'm confused by the request. Why is the synchronization account "manually" updating the group membership? Why are you not just updating an attribute within the FIM portal so that the dynamic criteria will take effect and manage the group. It really sounds as though you're manually updating the membership using a set of criteria to do so. I would suggest that you use that criteria to update an attribute which is flowed into the FIM service which will then add the user to the group based on the defined criteria. Regrettably, groups in FIM are only criteria or manually managed. I would suggest that as soon as you add the manual members, the group defaults back to a non-criteria based group (or the manual membership takes precedence). Thanks B

I'm not sure why the synch account is manually updating the membership. Could it be because I have equal precedence set for the member attrib in both AD and FIM? I update the membership, criteria wise via the portal, it syncs out to AD, then AD turns around and re-updates the membership? But if that were so, why...when I look at the group in FIM is there only two or three users in there? I'm not sure I understand what you have suggested Blain.l..please expound. The reason I did it the way I did is because it was requested of me to create a group in AD, which they could perform an action on using a different tool, that included the members of our organization which hadn't registered for SSPR. Since I needed to determine which users, I had to create a group, criteria based that would included users....that hadn't registered...Then that group should get updated based on that specific criteria and flow the membership change to AD.... This might not be doable because of the need to flow membership attrib back from AD to the portal because we are in the transition phase and are still updating membership in AD for now. That won't last forever. FIM will be our first and last choice to update group membership and we will then lose the equal precedence. Any help would be appreciated.