We've got an issue where some MPR's we've just created seem to firing, but are being reversed, i.e. the ERE's are being removed, and I don't know why. Background: Our MPR's that triggered provisioning, i.e. adding to sync rules, were setup to fire on user creates. This turned out to be insufficient as we need them to fire on certain updates, i.e. when they become members of a set. So we retired the old MPR's and created some new ones which are set-transition (in) ones. Problem: The ERE's for provisioning get created, but then in another request, they are removed and so the user does not get provisioned. I have no idea why this is. Can anyone enlighten me? As I understand it, the MPR causes generation of the ERE's in the first place. The user is definately a member of the set. The SQL job that maintains the sets has been executed. The ERE's are created by the "Forefront Identity Manager Service Account" account. The ERE's are removed by the "Built-in Synchronization Account" account.

You should post your prvisioning policy. Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Two things: If you have duplicate EREs for a given object (e.g. a user has two EREs for the same Sync Rule to AD), FIM will/should generate a delete for the old one If you look at your request history in the portal, you should be able to find the delete request for the ERE and see what requested it and backtrack My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

Markus, here's our provisioning policy. Yes it really is this big :) Brian, they're not duplicates as far as I can see. FIM creates the two ERE's for the two systems separately, but the built-in sync account removes them in one go. Provisioning Policy Configuration ================================== Removed...

It works now. I created a new user, ran the sql job and they provisioned successfully. The only thing that is different now, is I did a full import/full sync after the last user. I didn't think this was necessary for MPR changes, I thought that was only necessary for Sync Rule changes, but perhaps now. Thanks anyhow guys.