Hello, I have a criteria based security group based on the jobtitle of an employee, if in employee is in the correct jobtitle he will be a member of the group, and that's also synced correctly to active directory. However, if the jobtitle changes, in the fim portal you correctly see the user is not a member of that group anymore. the change is however not synced back to the metaverse and ad. anyone some idea what this can be? Thanks

Well if you currently have the scenario working where being a member of the group in the portal ensures you are a member of the group in AD, then it should be a matter of running the correct run profiles I think. Have you run a delta (or full) import on the FIM MA prior to running a synchronization? The import should update the group members in the FIM CS so that a sync run can update the Metaverse and the AD CS. Regards, Thomashttp://setspn.blogspot.com

Yeah that was my idea too, however after trying to run the import nothing is changing.. an full import on the FIM MA makes the member field change, but only add, it doesn't remove any entry even though it's not there anymore in the portal.

Found the sollution, i had the group made by the portal administrator, however i declared to filter syncing this administrator. That's why no objectSid was known for this user. after removing the administrator from the members everything worked out just fine.