Hi, I have come across rather unusual behavior and wanted to run it by you'll. Scenario is as follows: AD-MA is configured to read user and group objects from (lets say 2 containers). Container-1 and Container-2 AD-MA has a connector filter on group object so that ONLY groups from Container-1 are projected to MV. All users from Container-1 and Container-2 are projected to Metaverse All groups from Container-1 are projected to Metaverse All groups from Container-1 are ignored for projection to MV The current FlowScope on the member attribute is set to "user,group". Problem The problem surfaces when a user from Container-3 (some other container other than Container-1 and Container-2) is a member of a group (lets say GroupX) from Container-1 As AD-MA is configured not to pickup users from Container-3, a place holder is created for this user (lets say: UserX) when GroupX is imported into AD-MA connector space Upon the completion of one complete sync cycle( AD->MV->FIM->MV->AD), the Synchronization service is removing UserX from GroupX as UserX is not in MV. Is this normal behavior or am I missing something? Is there any way to override this behaviour. Thanks for your help in advance. Thanks & Regards, Jameel Syed Principal Consultant, fimGuru - Your window into simplified identities jameel.syed@fimguru.com - http://www.fimguru.com

This is by design. To synchronize reference attributes such as member, you always need the referencing and the referenced object in a data layer (CS, MV). You can find more details on this in How Do I Provision Groups to Active Directory Domain Services or How Do I Synchronize Groups from Active Directory Domain Services to FIM Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation