After reading up on how IDM handles data (Thanks Geoffrey Carman) I ran a trace. I believe the matching policy is kicking out all data bound for AD.

Below are two snippets from the log. What I am ignorant of is what does "Rule Selected" and "Rule Rejected" mean? Also where the "Rule Selected" message appears, there is "Action: do-veto()". Is this that actual logic failure event which results in the rejection of the add event?

Thanks, Chris.

[02/04/10 07:24:49.894]:veto ST:Applying policy: %+C%14Csub-mp-EntitlementsImpl%-C.
[02/04/10 07:24:49.895]:veto ST: Applying to add #1.
[02/04/10 07:24:49.895]:veto ST: Evaluating selection criteria for rule 'UserAccount entitlement: do not match existing accounts'.
[02/04/10 07:24:49.895]:veto ST: (if-class-name equal "User") = TRUE.
[02/04/10 07:24:49.895]:veto ST: (if-global-variable 'drv.entitlement.UserAccount' equal "true") = FALSE.
[02/04/10 07:24:49.895]:veto ST: Rule rejected.
[02/04/10 07:24:49.896]:veto ST:Policy returned:
[02/04/10 07:24:49.896]:veto ST:
[02/04/10 07:24:49.898]:veto ST:Applying policy: %+C%14Csub-mp%-C.
[02/04/10 07:24:49.898]:veto ST: Applying to add #1.
[02/04/10 07:24:49.898]:veto ST: Evaluating selection criteria for rule 'veto out-of-scope events'.
[02/04/10 07:24:49.898]:veto ST: (if-op-property 'attempt-to-match' not-available) = TRUE.
[02/04/10 07:24:49.899]:veto ST: Rule selected.
[02/04/10 07:24:49.899]:veto ST: Applying rule 'veto out-of-scope events'.
[02/04/10 07:24:49.899]:veto ST: Action: do-veto().
[02/04/10 07:24:49.899]:veto ST:Policy returned:
[02/04/10 07:24:49.899]:veto ST:
<nds dtdversion="3.5" ndsversion="8.x">