jimc wrote:

> Message: Code(-8003) Unable to synchronize reference to CN=Mr Howard
> Jones,OU=dept1,OU=bld1,OU=ntest,OU=Nth,OU=edir,DC= prlnwdev,DC=surreycc,DC=gov,
> DC=uk from attribute Member.

Looks like the Howard Jones is not associated - check in iManager if the user
object really has an association value of 735a5a525f3aeb45a92d13489d96ce8e for
your AD driver. Of course IDM can only resolve associations that exist,
which also explains that the resolve token does not help any further...

Two possible solutions:

a) migrate user accounts before trying to sync group memberships

b) if you do not want to associate users, see if you can find matching user
object with the query token. Here's an example for matching employeeNumber =

<description>Manually match group members</description>
<if-class-name mode="nocase" op="equal">group</if-class-name>
<token-removed-attr name="member"/>
<token-op-attr name="member"/>
<do-set-local-variable name="current-matches" scope="policy">
<arg-match-attr name="workforceID">
<arg-value type="string">
<token-src-attr name="employeeNumber">
<token-local-variable name="current-node"/>
<if-xpath op="true">count($current-matches) = 1</if-xpath>
<do-set-xml-attr expression="$current-node" name="type">
<token-text xml:space="preserve">string</token-text>
<do-strip-xpath expression="$current-node/@association-ref|"/>
<do-strip-xpath expression="$current-node/text()"/>
<do-append-xml-text expression="$current-node">
<token-xpath expression="$current-matches/@src-dn"/>
<do-strip-xpath expression="$current-node"/>

Good luck, Lothar