Thanks. I found my issue, I needed to move the rule to the Command Trans. I realized in the Create rule I did not have a Dest-DN yet to operate on. Stupid.

Everything works and a new user gets added to an existing AD group, however I still get an error about not being able synchronize the member attribute. I am confused as I do not have the Group class or the member attrbitue from the User class in my filter. Is there something hard-coded with groups in AD?

<nds dtdversion="3.5" ndsversion="8.x">

<source>

<product version="3.6.10.4747">DirXML</product>

<contact>Novell, Inc.</contact>

</source>

<input>

<add class-name="User" dest-dn="CN=hector,ou=staff,dc=testad3,dc=usg,dc=edu" event-id="addom1#20091109145918#99#1" qualified-src-dn="dc=edu\dc=usg\dc=testad3\OU=staff\uniqueID=hec tor" src-dn="\VAULT\edu\usg\testad3\staff\hector" src-entry-id="487472">

<add-attr attr-name="eduPersonAffiliation">

<value timestamp="1239997320#41" type="string">Staff</value>

</add-attr>

<add-attr attr-name="Full Name">

<value timestamp="1239997320#44" type="string">Hector Lopez</value>

</add-attr>

<add-attr attr-name="Given Name">

<value timestamp="1239997320#9" type="string">Hector</value>

</add-attr>

<add-attr attr-name="Surname">

<value timestamp="1239997320#16" type="string">Lopez</value>

</add-attr>

<add-attr attr-name="Title">

<value timestamp="1239997320#3" type="string">Engineer</value>

</add-attr>

<add-attr attr-name="DirXML-ADAliasName">

<value>hector@testad.usg.edu</value>

</add-attr>

<add-attr attr-name="CN">

<value>hector</value>

</add-attr>

<add-attr attr-name="Login Disabled">

<value type="string">false</value>

</add-attr>

<password><!-- content suppressed --></password>

<operation-data attempt-to-match="true" unmatched-src-dn="uniqueID=yLopez">

<password-subscribe-status>

<association/>

</password-subscribe-status>

</operation-data>

</add>

<modify class-name="Group" dest-dn="CN=People,OU=Groups,OU=staff,DC=testad3,DC=usg ,DC=edu" event-id="addom1#20091109145918#99#1">

<modify-attr attr-name="member">

<add-value>

<value type="dn">CN=hector,ou=staff,dc=testad3,dc=usg,dc= edu</value>

</add-value>

</modify-attr>

</modify>

</input>

</nds>

[11/09/09 09:59:19.754]:Active Directory Primary ST:Filtering out notification-only attributes.

[11/09/09 09:59:19.754]:Active Directory Primary ST:Fixing up association references.

[11/09/09 09:59:19.755]:Active Directory Primary ST:

DirXML Log Event -------------------

Driver: \VAULT\edu\usg\driverset\Active Directory Primary

Channel: Subscriber

Object: \VAULT\edu\usg\staff\hector

Status: Warning

Message: Code(-8003) Unable to synchronize reference to CN=hector,ou=staff,dc=testad3,dc=usg,dc=edu from attribute member.



"David Gersic" <dgersic@no-mx.forums.novell.com> wrote in message news:siggs6-q0s.ln1@wintermute.is.niu.edu...
> On Fri, 06 Nov 2009 21:54:38 +0000, HeCtOr wrote:
>
>> What I am trying to do in a Create rule is add this user to an existing
>> Group in AD.

>
> If you search back a ways, I once posted a policy that will change the
> user's primary group in MAD to something other than Domain Users. To do
> this, it has to first add the user to the group. That part might help
> you, even if you don't need the other parts of it where I change the
> primary group pointer, then remove them from Domain Users.
>
>
> --
> ---------------------------------------------------------------------------
> David Gersic dgersic_@_niu.edu
> Novell Knowledge Partner http://forums.novell.com
>
> Please post questions in the newsgroups. No support provided via email.
>