Hi Everyone, Quick and probably easy question. I've followed the FIM to AD group creation guide and everything works great. My users are in a group in FIM and in AD. Everything is good until the membership changes in FIM. How do I set FIM to update the member attribute when a user is no longer in the group? I imagine I need a workflow for that. Basically I want to have dynamic group membership based upon a multivalued attribute I have on each user. This part is working. However as new users come into the group they are not added to the group in AD as the group has already been provisioned.

hi Brandon, as I understand the dynamic group membership works in the FIM Portal as desired, but the member attribute is not updated in the corresponding AD groups Do you have set up within the FIM Portal an Outbound Sync Rule to AD , which includes an persistent outbound attribute flow for the member attribute of group objects?/Matthias

I do have an outbound rule for the group. It basically transitions in whenever a group is created which triggers the provision. I believe member is persistant, I just have it as an attribute. The users that are in the group when it was created is fine. Its when I make changes to the group membership that i'm not seeing it update in AD.

Do you have an export attribute flow for the "member" attribute that is NOT checked for "initial flow only" for the group objects? Besides that, is your FIM MA "more precedent" than AD? for the member attribute? You could check groups in the FIM MA connector space or the MetaVerse as to see "how far" your memberships are getting. Depending on that info you can modify the configuration.http://setspn.blogspot.com