FIM to AD Group Synchronization: exported-change-not-reimported RRS feed

  • General discussion

  • I’m currently encountering exported-change-not-reimported errors on two security groups managed by FIM. These groups are managed through the Portal and the membership is then updated in AD.

    The “member” attribute is synced from FIM to the MV and from the MV to AD.


    The changes it seems to struggle with is the existence of some users in the member attribute in Active Directory. These users have their names built like sAMAccountName0\Del_GUID. This actually makes sense. This are users I deleted from the Portal earlier on. When I delete a user in the portal it is removed from the group in the portal AND I stage a delete in AD for that user. And ofcourse this change in membership is flowed out to AD.


    What probably happens in AD is the user is “moved” to the deleted objects container, it group membership is retained (I have the recycle bin enabled!). I verified the group members in AD using PowerShell and it also shows me the sAMAccountName0\Del_Guid as a member. So FIM which is supposed to be authoritative for the member attribute, keeps deleting this user from its CS while AD keeps adding it.


    I’m wondering how you guys would coop with this? I'm not sure enabling equal precedence on the “member” attribute in the Metaverse would be sufficient. How about the reference integrity?


    I know FIM 2010 Update 1 and KB979214 added support for the recycle bin. How is it supposed to handle my scenario?

    Some info on this recycle bin support: and

    Monday, August 30, 2010 5:42 PM

All replies

  • I have just recently witnessed what seems to be the same issue (member attribute set to equal precedence + object deltas showing from the deleted objects container in AD), but in this case the AD recycle bin was OFF.  I believe there is a call open with this right at the moment and I am hoping one of the MS guys can give us an update on the issue soon?

    Bob Bradley, (FIMBob?)
    Tuesday, October 19, 2010 7:40 AM
  • As for my case there is indeed a case open with PSS and the product group is currently writing a fix for it. I've no idea whether yours is related.
    Tuesday, October 19, 2010 7:52 AM
  • Thomas, can you check whether your bug is only related to membership or affects all reference attributes like manager?

    What I mean - if deleted user was a manager for other person and was deleted there will be same export-change-not-reimported errors.


    Monday, November 15, 2010 10:11 AM
  • See the screenshot - this export action will be never confirmed causing export-change-not-reimported until object from RecycleBin will be completely deleted.


    - <delta operation="update" dn="CN=<dn>">
      <anchor encoding="base64">6oTjk/2/ckujmnVCHolp+g==</anchor>
    - <dn-attr name="manager" operation="update" multivalued="false">
    - <dn-value operation="delete">
      <dn>CN=<cut>\0ADEL:56d90d74-0bd5-4c6d-a4f6-d0e94ae9b061,CN=Deleted Objects,DC=here</dn>
      <anchor encoding="base64">dA3ZVtULbUyk9tDpSumwYQ==</anchor>

    Monday, November 15, 2010 10:31 AM
  • Evgeniy,

    This seems to be equal like I'm seeing with the member attribute. As the product group is currently writing a fix for this, I would advise opening a case with PSS for this if you want to get more detailed information.

    Monday, November 15, 2010 10:34 AM
  • thanks'


    Monday, November 15, 2010 10:36 AM
  • Thomas,

    can you provide me you case number, TAM's name or engineer's name to search MS database for details?

    my email is e-d 'at'


    Tuesday, November 23, 2010 3:14 PM