I'm attempting to create a policy to remove all AD group memberships
from a user, when the user object gets moved to a "Disabled" OU in AD.

The operation would start in AD and "write back" to AD on the Subscriber
channel to remove the group membership.

I can't read "memberOf" (user) from IDM (as I can w/ an LDAP browser),
so I'm thinking I'll have to collect the group memberships to an array,
and remove the "Member" from each group they belong to.

Has anyone gone through this before or have any suggestions?


jsnow's Profile: https://forums.netiq.com/member.php?userid=556
View this thread: https://forums.netiq.com/showthread.php?t=50140