Active Directory Management Agent Feature ADMAUseACLSecurity incompatible with Active Directory Recycle Bin Feature RRS feed

  • General discussion

  • hi all,

    I’m actually facing an issue with the ADMAUseACLSecurity AD MA configuration in an Active Directory 2008 environment with Recycle Bin enabled and asking myself, if this is a bug or if I’m missing something.

    The environment looks this:

    • Active Directory 2008 on Windows 2008 R2 SP1 DCs
    • Recycle Bin enabled
    • Forefront Identity Manager 2010 R2 (4.1.2273.0) SyncEngine
    • Registry Key ADMAUseACLSecurity=1 configured on the FIM 2010 box
    • AD Management Agent, connecting to the Active Directory Forest with an dedicated service account (Domain User privileges, no additonal permissions in AD)

    The FIM behavior

    • Deleting an Active Directory object and running a Full Import detects the deletion in FIM; everything works fine
    • Deleting an Active Directory object and running a Delta Import detects the deletion in FIM as Filtered Object; the deleted Active Directory object remains in the Active Directory Connector space.
    • A Full Import afterwards corrects the error and deletes the object in the Connector Space
    • Running the MA with Domain Admin privileges detects the object deletion correctly during Delta Imports
    • Also falling back to the old MA permission model (Active Directory MA service account with Replicate Directory changes permissions on the domain object) detects the object deletion during Delta Import Operations correctly

    Did I miss something?


    Thursday, November 8, 2012 10:39 AM

All replies

  • May I ask why you prefer not to stick with the "Replicate directory changes" permission?  There are significant advantages to this method of change detection; e.g., without the DirSync control one must use less efficient searching based on USNs.
    Thursday, November 8, 2012 5:08 PM