I have two types of distribution groups in my organization: open which anyone should be allowed to subscribe to without owner approval and closed which requires owner approval for joining. The description field of the open distribution groups all begin with the word "Open". I have two Synchronization Rules for distribution groups. Rule 1 is for the closed groups and it sets "Owner Approval" to the "membershipAddWorkflow" attribute so in FIM you need owner approval to request joining the group. Rule 2 is for the open groups and it sets "None" to the "membershipAddWorkflow" attribute so in FIM anyone can join without approval. Rule 1 has a precedence of 1 and Rule 2 has a precedence of 2. I want only closed groups to be affected by Sync Rule 1 and only open groups to be affected by Sync Rule 2. My problem is I cannot seem to set a Description based External Scoping Filter that works the way I want it to. On Sync Rule 1 I tried adding the filter "description not starts with Open" and then having no filters on Sync Rule 2. My logic was that any group that had a description starting with Open should be filtered by Rule 1, but then for Rule 2 those groups would be picked up and have the rules applied. This does not work. I have tried reversing the logic (e.g. using "description starts with Open") and even adding a filter on Sync Rule 2 that is the opposite of Sync Rule 1. I have also tried using the "contains" Operator, but nothing seems to work. However, what does work is if I filter by the "managedBy" attribute. If my open groups do not have a manager set in AD and I change Sync Rule 1 to use the filter "managedBy not equal (leave value box blank)" that works. I would like to filter on Description instead though as an open group can still have a manager in my organization. Further, I have User Sync Rules that filter successfully on other attributes, but all use "equal/not equal" as the Operator. Can anyone shed some light on what I may be doing wrong? Is it possible there is a bug with the "starts with/not starts with" and "contains/not contains" operators?

It's entirely possible that something is broken here. Have you tried falling back to legacy connector filters and seeing if that will work? If all you want to do is tweak that membershipAddWorkflow attribute based on some criteria, frankly I think it would be easier to write a quick advanced attribute flow rule. If you can describe the logic I imagine I or someone else here could write it really quickly for you if you need help.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com