Hello,
I have a quite standard AD integration with Identity Manager.
In this scenario some default roles are attached to internal IDM dynamic groups membership in order to automatically grant (and revoke) roles when users get (or lose) some attributes.

In details, at creation time, active users gets 2 default roles (1 for AD account, and 1 for a specific AD group membership).
This roles are correctly automatically granted by RRSD basing on the membership of a dynamic group.
All this correctly works symmetrically, when a user is deactivated, it automatically loses the dynamic group membership, and the RRSD correcly revokes the 2 roles (AD account, and AD group membership).

The problem occurs when the AD driver tries to enforce these revocations on Active Directory, it correctly removes the AD account (the driver is actually configured to disable AD account and move it to a designed OU) but it doesn't delete the AD group membership. The operation fails with an error on the driver side (which is also not notified, thus giving the false feedback that role is correctly removed).
The reason for this, is that the AD driver (triggered by RRSD) removes the AD account BEFORE deleting the AD group membership, this of course lead to the error on the AD endpoint side.

The error is constant, it happens in the same way, for every user's deactivation; all roles are revoked in IDM, AD account is disabled and moved, but all AD group memberships are left untouched.

My question is: as in my opinion this is very basic AD provisioning/deproviosning task, is there anything im doing wrong? I was trying to achieve basic automatic attribute-based provisioning tasks, by using smart implementation (dynamic groups, RRSD, ecc...) thus avoiding custom policies and keeping things clean, simple, and easy maintainable.

Thank you in advance.

Here extraction from Version Discovery Tool:

Code:
Identity Manager Version Discovery Tool v2.0
Novell, Inc.  Copyright 2003, 2004

Parameter Summary:
	Found 17 Identity Manager Drivers

Driver Set:  DriverSet.Services.Vault
	Driver Set running on Identity Vault:  XXX.Services.Vault
		Last log time:  Wed Mar 14 15:11:24 CET 2018
		Found eDirectory attributes associated with Identity Manager 4.5.4.0 AE

	Driver:  RoleResourceService.DriverSet.Services.Vault
		Driver name:  Identity Manager Roles and Resource Service Driver
		Driver module:  com.novell.nds.dirxml.driver.nrf.NRFDriverShim
		Driver Set running on Identity Vault:  XXX.Services.Vault
			Driver ID:  ROLESVC
			Driver version:  4.5.0.0
	
	Driver:  UserApplication.atmDriverSet.Services.Vault
		Driver name:  Identity Manager Composer and/or User Application Service Driver
		Driver module:  com.novell.idm.driver.ComposerDriverShim
		Driver Set running on Identity Vault:  XXX.Services.Vault
			Driver ID:  UAPROV
			Driver version:  0.20141007.205046
	
	Driver:  AD.DriverSet.Services.Vault
		Driver name:  Identity Manager Driver for Active Directory and Exchange 2000
		Driver module:  addriver.dll
		Driver Set running on Identity Vault:  XXX.Services.Vault
			Driver ID:  AD
			Driver version:  4.0.2.0