Thanks. I found my issue, I needed to move the rule to the Command Trans. I realized in the Create rule I did not have a Dest-DN yet to operate on. Stupid.

Everything works and a new user gets added to an existing AD group, however I still get an error about not being able synchronize the member attribute. I am confused as I do not have the Group class or the member attrbitue from the User class in my filter. Is there something hard-coded with groups in AD?

<nds dtdversion="3.5" ndsversion="8.x">


<product version="">DirXML</product>

<contact>Novell, Inc.</contact>



<add class-name="User" dest-dn="CN=hector,ou=staff,dc=testad3,dc=usg,dc=edu" event-id="addom1#20091109145918#99#1" qualified-src-dn="dc=edu\dc=usg\dc=testad3\OU=staff\uniqueID=hec tor" src-dn="\VAULT\edu\usg\testad3\staff\hector" src-entry-id="487472">

<add-attr attr-name="eduPersonAffiliation">

<value timestamp="1239997320#41" type="string">Staff</value>


<add-attr attr-name="Full Name">

<value timestamp="1239997320#44" type="string">Hector Lopez</value>


<add-attr attr-name="Given Name">

<value timestamp="1239997320#9" type="string">Hector</value>


<add-attr attr-name="Surname">

<value timestamp="1239997320#16" type="string">Lopez</value>


<add-attr attr-name="Title">

<value timestamp="1239997320#3" type="string">Engineer</value>


<add-attr attr-name="DirXML-ADAliasName">



<add-attr attr-name="CN">



<add-attr attr-name="Login Disabled">

<value type="string">false</value>


<password><!-- content suppressed --></password>

<operation-data attempt-to-match="true" unmatched-src-dn="uniqueID=yLopez">






<modify class-name="Group" dest-dn="CN=People,OU=Groups,OU=staff,DC=testad3,DC=usg ,DC=edu" event-id="addom1#20091109145918#99#1">

<modify-attr attr-name="member">


<value type="dn">CN=hector,ou=staff,dc=testad3,dc=usg,dc= edu</value>






[11/09/09 09:59:19.754]:Active Directory Primary ST:Filtering out notification-only attributes.

[11/09/09 09:59:19.754]:Active Directory Primary ST:Fixing up association references.

[11/09/09 09:59:19.755]:Active Directory Primary ST:

DirXML Log Event -------------------

Driver: \VAULT\edu\usg\driverset\Active Directory Primary

Channel: Subscriber

Object: \VAULT\edu\usg\staff\hector

Status: Warning

Message: Code(-8003) Unable to synchronize reference to CN=hector,ou=staff,dc=testad3,dc=usg,dc=edu from attribute member.

"David Gersic" <> wrote in message
> On Fri, 06 Nov 2009 21:54:38 +0000, HeCtOr wrote:
>> What I am trying to do in a Create rule is add this user to an existing
>> Group in AD.

> If you search back a ways, I once posted a policy that will change the
> user's primary group in MAD to something other than Domain Users. To do
> this, it has to first add the user to the group. That part might help
> you, even if you don't need the other parts of it where I change the
> primary group pointer, then remove them from Domain Users.
> --
> ---------------------------------------------------------------------------
> David Gersic
> Novell Knowledge Partner
> Please post questions in the newsgroups. No support provided via email.