Hi I've set up a user and group provisioning from the FIM portal to an active directory. I'm able to create security groups and user accounts on the FIM portal and provide these into my active directory. Providing an user as a member of one of my security groups on the portal works fine and gets synchronized with my active directory but if I try to remove the user as a group member nothing happen's in active directory. can anybody help me?

I've just got the solution: There is an "Inbound and Outbound" synchronization needed on the group synchronization rule with member=>member as Inbound Attribute Flow.

I'm still not able to remove the last user from group members. Any ideas?

Go to the Flow Definition, select Destination and check that "Allow null values to flow to destination" is enabled

Go to the Flow Definition, select Destination and check that "Allow null values to flow to destination" is enabled I did so but it does not work either.

I'm having the same problem. The last user in the group cannot be deleted either from the portal or from AD. It always gets recreated. Have you found any solution for this problem?

and I tried the Allow Null checkbox, but that doesn't help

I didn't find a solution for this yet. I've just created a dummy user which is a member of every group. It's not the best "solution" but it works for me.

We found a solution for this. Instead of having a Delta Import in your run profile after every Export operation on the AD MA, use a DIDS ( Delta Import Delta Synchronization ). This is assuming that you have precedence set on the member attribute of group, to Equal Precedence. You also need to allow null in your sync rules, and also in the attribute flow for the FIM Service MA.