FIM Removing members of a group which are not in Metaverse. Is that expected?
Hi,
I have come across rather unusual behavior and wanted to run it by you'll.
Scenario is as follows:
AD-MA is configured to read user and group objects from (lets say 2 containers). Container-1 and Container-2
AD-MA has a connector filter on group object so that ONLY groups from Container-1 are projected to MV.
All users from Container-1 and Container-2 are projected to Metaverse All groups from Container-1 are projected to Metaverse All groups from Container-1 are ignored for projection to MV The current FlowScope on the member attribute is set to "user,group".
Problem
The problem surfaces when a user from Container-3 (some other container other than Container-1 and Container-2) is a member of a group (lets say GroupX) from Container-1
As AD-MA is configured not to pickup users from Container-3, a place holder is created for this user (lets say: UserX) when GroupX is imported into AD-MA connector space
Upon the completion of one complete sync cycle( AD->MV->FIM->MV->AD), the Synchronization service is removing UserX from GroupX as UserX is not in MV.
Is this normal behavior or am I missing something? Is there any way to override this behaviour.
Thanks for your help in advance.
Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com
January 27th, 2011 6:44pm
This is by design.
To synchronize reference attributes such as member, you always need the referencing and the referenced object in a data layer (CS, MV).
You can find more details on this in
How Do I Provision Groups to Active Directory Domain Services or
How Do I Synchronize Groups from Active Directory Domain Services to FIM
Cheers,
MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
January 27th, 2011 7:37pm