IDM 402 AD Driver on W2K8r2 server (2003 forest level)
On the publisher channel I have filter allowing group class/group
membership to synch from AD back to IDVault. When there is a change in
AD Group object, the trace is telling me the driver is reading event
from AD, which is good. No matter whether it is an add or delete of
user to the group object in AD, the engine will issue a <remove-all>
first, and then synch the ones that are still in the AD group back to
IDVault, thru Pubchannel.

I would like to find out, is there a way we can change the behavior of
the AD driver to, in the event that I pull a user out from an AD group,
the driver will, instead of issuing a <remove-all>, the driver will
perform a single <remove><dn><value>userA</value></dn></remove>. I can
appreciate why it is doing a <remove-all> instead of remove...but we
come across a situation that we need to find out which user(s) has/have
been removed from a group object in AD, and further process those user
object in IDVault. And in the event there are multiple user(s) got
removed from the AD group, I can process each user objects that are
pulled, based on our business requirements. Or do you have other

Thanks for any kind of suggestions (except shelling out to script,


vzlchan's Profile: https://forums.netiq.com/member.php?userid=4473
View this thread: https://forums.netiq.com/showthread.php?t=50624