Have posted this as follow up to http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/31a6403b-0b93-45ab-a3e8-dad5acc948cc already, but in case that doesn't get seen by anyone: I've run into a problem with declarative deprovisioning - can't get it to deal with deletes in FIM Portal and flow them out as deletes in AD MA. I have a synch rule, an MPR and a workflow configured to fire off on new user creation and add object to synch rule scope - that works and provisions it to AD fine. Another MPR and workflow catch employment status change, and if it changes out of Contractor or Full Time Employee a deprovision gets triggered, also works fine. However, the deletion from FIM Portal doesn't trigger a deprovision - the user is instead re-synched from MV into FIM Portal on the next run of FIMMA - neither the status change MPR nor the object deletion MPR seem to get triggered on deletion, so ERL pointing to an outgoing synch rule remains and the object gets reprovisioned. (if I set object deletion in MV object deletion rules that catches it fine, but was hoping to use declaritive all the way) Regards, thanks Petar

You need to configure the metaverse object deletion rule to delete the MV object when disconnected from a FIM connector. The related picture is in the other post. In addition to that, you need to configure the deprovisioning reaction on ALL affected MAs. The default is set to make them disconnectors, which would bring them back into the metaverse during a next synchronization run. If FIM is authoritative, then set deprovisioning to stage a deletion. All about deletions is covered in Understanding Deletions in ILM. There are just a few things missing that are specific to FIM. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

Hi Markus, Thanks. Does that mean that MV deletion rules are the (best practice) way to go for declarative provisioning as well, ie no changes in FIM compared to ILM when it comes to this, whereas declarative rules in FIM Portal can/should be used for non-deletion cases such as employee status change etc? On a slightly different note - if object deletion is exported as an account disable and move to a Disabled Accounts OU in AD, is there a best practice on how to deal with these further to make sure they don't get projected into the MV? I've got a custom projection rule filtering out any projections from the Disable Accounts OU while projecting all others, but would ultimately like to be able to pick up the same account and move it back to a regular OU if the user is reactivated. Many thanks for your help & info, Petar

Petar, this is correct, the object deletion rule is the best practice to handled metaverse object deletions. To prevent an object from coming back, set the deprovisioning reaction to "Make them explicit disconnectors": Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation