AD group member not correctly provisioned RRS feed

  • Question

  • Hi,

    I have a database with users and groups and a domain (one forest one domain with level 2008 R2) with users and groups

    Users and groups are projected from the database to the metaverse.

    Groups are provisioned to AD by FIM, whereas users are joined. I'm not using the portal only sync service.

    In the metaverse, a group has 3000 members but in Active Directory only 158.

    If I can take one user that should be in the AD group but is not:

    • I can see that the user has a connector to AD.
    • I can see that the user is member of the group (by looking at its GUID)

    I have done several Full import/Full synchronization from AD or the database, or just by using the preview/commit feature. I even suppress the whole connector space but nothing changed.

    I'm using FIM 2010 build 4.0.3594.2.

    Do you have any ideas?

    Saturday, July 27, 2013 4:27 PM

All replies

  • A few things to check:

    • What is your attribute precedence set to for "member"?
    • Do the users definitely exist in the same connector space as the groups?
    • What does the full sync preview tell you about the member export flow to AD?
    Monday, July 29, 2013 3:16 AM
  • There might be problem with Outbound Sync rules or in mandatory attributes mapping for AD, make sure you mapped sAMAccountName, unicodePwd,UserAccountControl and DN .
    Friday, July 3, 2015 4:29 PM
  • I don't see how you are making the relation between user and group. Before FIM came up with the portal and group management, there was a tool called Group Populator .  You can still use it.  it is free and works.

    You need a method in metaverse to relate users with groups.

    Nosh Mernacaj, Identity Management Specialist

    Friday, July 3, 2015 4:42 PM
  • Have you run any Export profiles against AD? You're only mentioning Imports and Sync runs.

    Regards, Soren Granfeldt
    blog is at | facebook | twitter at!/MrGranfeldt

    Tuesday, July 7, 2015 10:30 AM