I need to synchornize users accounts that are in 3 specific OUs in the
Active Directory. I added rules in the policies that veto operations
that is not within the 3 OUs specified.

pub-pp policy:
- if destination DN not in subtree
"ou1/department/organization/company" veto();

sub-pp policy:
- if destination DN not in subtree
"ou=ou1,ou=department,dc=organization,dc=compa ny" veto();

The rule is working fine for create, update, deletion of user accounts.
However, it is not working that well for a Migrate-into-Identity Vault
operation. Below describe the behaviour:
1) I select "User" in the class list filter pop up box for the Migrate
Into Identity Vault function in iManager and click ok.
2) In the remote loader screen, I see that the driver tries to query
user accounts that is NOT within ou1/department/organization/company.
When I look into the traces, I see that this operation is vetoed by the
object placement policy(which is correct) but the weird part is it
repeatedly try to sync those user accounts again and again. I thought I
have already vetoed the operation? Why it is started again?

How do I prevent the migrate-into-identity vault event from sync-ing ou
NOT within ou1/department/organization/company right from the start?

Thank you

gumiho's Profile: http://forums.novell.com/member.php?userid=95321
View this thread: http://forums.novell.com/showthread.php?t=454758