We would like to use Synch Service to update user's group membership from a SQL DB, instead of manually adding groups. We get the below message and found a KB article that says to create a virtual attribute for each group, but this workflow will apply to all of our groups and users!
Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM). (Exception from HRESULT: 0x8007209A)