I have a setup where users are created using an HR application. The Hr application is authoritative for creating users in AD and updating attributes like fname , sn , department etc in AD. FIM sync server is being used to import / export data from / to other systems. I plan to implement group management feature in our environment and HR application should remain authoritative for creating users. Group should be created in fim portal and members should get added based on certain criteria like role is admin etc. Group then should get created in AD and should add respective members based on criteria in fim portal in AD. I plan to do this in following steps: 1-Extend the fim schema to accomodate extra attributes 2- Create FIM MA and enable inbound synchronisation on fim portal for users , this will create users in fim portal . 3-Create outbound syn rule for groups so that when groups are created in fim portal are created in AD. Users should only get updated/ created by HR application and groups should be managed by fim portal only. Any Guidance or advise is highly appreciated. AdiKumar

Hi, Have you looked at this guide? http://social.technet.microsoft.com/wiki/contents/articles/650.how-do-i-provision-groups-to-active-directory-domain-services.aspx Is your concern that FIM might manage aspects of a user in AD other than their group membership? FIM doesn't have to flow any attributes to the users. You can just have the attribute flows set up for the group object. HTH, Sami