Synchronization of AD User and AD Groups

Question

Hi, 
 
 i got a problem while synchronizing from OIM into Active Directory. 
 We have Domain with different Customers in it. We only manage at this time one customer with OIM. 
 There are some Active Directory Groups which are shared between the Customers. 
 
 In the Manager Application i can see that in some of those AD-Groups "Active Directory SIDs" and the Identites from OIM are displayed. 
 
 Everytime I synchronize from OIM to AD, the OIM Jobserver tries to add this "Active Directory SIDs" again as an Member of the group, although they are in it right now. 
 
 Is there any Way that there unmanaged AD-Accounts are ignoriered by Synchronizing? 
 
 Thanks for your Help

Trevor Pike · Answer

Hi Marcel, 
 
Again, I'm confused. By default a sync is from the target, AD, to 1IM. That direction. If Change Auditor is seeing changes then that would be due to provisioning jobs, i.e. 1IM to the target. Is your sync configured to use a provisioning workflow? 
 
Any filtering would have to be for the group objects, not users, even though you don't want the sync to bring those users in. But as they still exist in those groups in AD, 1IM marks them as "Active Directory SIDs" and creates table entries for those, ADSOtherSIDInADSGroup. 
 
But based on the description of the issue I think opening a service request with Support would be a good idea so we could take a look at the sync project and your logs, to get a better understanding of what's going on and how to remediate the issue. 
 
Trevor