Sounds simple and probably something obvious I'm naively missing, but...

Groups in the Vault and memberships sync via the default filter to
Groupwise. However making a policy that simply attempts to add a user as a
"member to" a driver associated group is not working for me. I made a sub
ctp rule that

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC
<description>&lt;Specify Name>group add</description>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<do-add-dest-attr-value class-name="Group" name="Member" when="after">
<token-text xml:space="preserve">\vault\ou\group</token-text>
<arg-value type="dn">
<token-src-dn convert="false"/>

The shim returned the error that the class Group was not supported, which I
found surprising. The entitlement uses the <arg-association> element rather
than <arg-dn>.when specifying the target group, but the code is quite

Also, am I right in thinking that there would not be an easy way to modify
membership of unassociated groups, ie those that existed only in groupwise
and not in the vault?

This email has been checked for viruses by Avast antivirus software.