I have an AD that has users in 8 different OUs and groups in 4 other OUs
(12 AD OUs in total). I have an eDir that has these 8 AD user OUs
combined into 2 eDir user OUs and the 3 AD groups go into 2 eDir group
OUs (4 eDir OUs in total). I want to prevent users from 3 of the AD OUs
being processed through to the edir OU they belong to and group
memberships for those users not to process. The groups that the users
are being synchronised to belong in one eDir OU only. It appears that I
have stopped the users from being processed as creates, moves or
deletes, but the group memberships seem to still be processing. If I
could I would like to prevent the driver from processing any user from
those 3 OUs and doing anything at all in IDM.

I have tried putting vetos and breaks in using destinationDN and using
the employeeType attribute in several existing policies (All these users
have "staff" in the "emplyeetype" attribute.) Nothing has worked so
far. I could really use some help. Let me know what more info you

I have been dumped in the deep end a wee bit with this as our person
who really understands this deep dark IDM driver magic is off sick for a
number of weeks and I'm trying hard to get up to speed. Please be

egriff's Profile: https://forums.netiq.com/member.php?userid=1586
View this thread: https://forums.netiq.com/showthread.php?t=3008