We are having IDM 4.7 on Linux server. We have 1000+ dynamic groups which will add members based on given condition/query. We have corresponding static groups that are associated to equivalent groups in Active Directory.

The members from dynamic groups are added to static group using a Loop back driver.

The process is described below:
1. Members are added to dynamic group based on the query condition.
2. Loop back driver detects the event and then it adds the newly added users from dynamic group to its equivalent static group.
3. The group member (in IDM) add event is then picked up by Active Directory driver and then adds the user to group in AD group which associated

By somehow, we see that the members in static group in IDM not matching to members in AD group.
Example. Group-abc in IDM has 10 members but the group Group-abc in AD the members are around 100 members.

It's happening not only for one group, for several groups.

Solution: we want to fix this issue where we want to keep the members same as IDM to AD

Question 1: How this can be fixed?

There is the Migrate from IDVault option on the subscriber driver to sync/resync an object to Application (in this case to AD).
Can we use this option and select a group in IDM, so that the member will be synched to AD to have equivalent members...

Does this option work in about mentioned manner?

Please let us know if there's any other option.

Question 2: Also, please let us know if we can track/identify from AD whether the members are added manually and by whom - using some driver policy/rule on publisher channel in AD driver.

Question 3: Similarly, can we use the option on filter "Merge authority" as IDVault to keep the members same as IDM to AD and resync again or remove if any members are added directly on AD group.

Thanks in advance.

best regards,