I have an issue that driving me nuts...Windows 2008 AD using IDM 3.6.1
with latest patches.

I have apolicy that is in the Output Transform that is setting the
member attribute of a Group object as follows -

<rule>
<description>Add user to default groups </description>
<comment xml:space="preserve">Add the users to default AD groups based
on XXADlocation</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="case" op="equal">add</if-operation>
</and>
</conditions>
<actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">trace</token-text>
</arg-string>
</do-trace-message>
<do-add-dest-attr-value class-name="Group" name="member">
<arg-dn>
<token-text xml:space="preserve">CN=</token-text>
<token-attr name="xxADLocation"/>
<token-text xml:space="preserve"> All Staff,</token-text>
<token-global-variable name="ADGlobalGroupLocn"/>
</arg-dn>
<arg-value type="dn">
<token-dest-dn/>
</arg-value>
</do-add-dest-attr-value>
</actions>
</rule>

I end up with an add event in the trace as follows -

<input>
<add cached-time="20100119231401.638Z" class-name="user"
dest-dn="CN=test
xxxgrp8,OU=Users,OU=xxx,OU=xxx,OU=xxx,dc=xxx,dc=xx x,dc=local"
event-id="xxx201#
20100119231401#2#2"
qualified-src-dn="O=xxx\OU=Users\OU=Workforce\CN=testxxxgrp8"
src-dn="\IDTREE\xxx\Users\Workforce\testxxxgrp8" src-entry-id="77802" times
tamp="1263942838#60">
<add-attr attr-name="givenName">
<value timestamp="1263942838#5" type="string">test</value>
</add-attr>
<add-attr attr-name="displayName">
<value timestamp="1263942838#4" type="string">test xxxgrp8</value>
</add-attr>
<add-attr attr-name="sn">
<value timestamp="1263942838#3" type="string">xxxgrp8</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value>testxxxgrp8@xx.xx.local</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value>testxxxgrp8</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value type="string">false</value>
</add-attr>
<password><!-- content suppressed --></password>
<operation-data attempt-to-match="true"
unmatched-src-dn="CN=testxxxgrp8">
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</add>
<modify class-name="Group" dest-dn="CN=xxx All Staff,OU=Global
Groups,DC=xxx,DC=xxx,DC=local" event-id="xxx201#20100119231401#2#2">
<modify-attr attr-name="member">
<add-value>
<value type="dn">CN=test
xxxgrp8,OU=Users,OU=xxx,OU=xxx,OU=xxx,dc=xxx,dc=xx x,dc=local</value>
</add-value>
</modify-attr>
</modify>
</input>

There are NO errors in the trace or remote loader at all. The CN values
are correct as I can look with an LDAP browser and compare the Group DN
and member values for other users that have been manually added and they
are correct.

I just dont get any membership added at all. The user isnt added to the
group and there is no clue as to why.

Any thoughts?