Hi,

I have a special problem with syncing eDir groups to AD which are
placed in specified OUs .

We're using IDM 3.6.1 to sync users from eDirectory (8.8.5) to MAD.

Our Tree seems like that,

-Tree
-O
-EUROPE
-Country
-City
-Branch
-Groups
-AD-Groups

I sync all groups which are placed under "AD-Groups" to MAD using a
Policy rule in Event Transformation Policy,

<rule>
<description>Block Groups except AD-Groups</description>
<comment name="author" xml:space="preserve">FM</comment>
<comment name="version" xml:space="preserve">1.0</comment>
<conditions>
<or>
<if-class-name notrace="true" op="equal">Group</if-class-name>
</or>
<or>
<if-src-dn notrace="true"
op="not-in-container">ORGANIZATION\EUROPE\SWEDEN\BRANCH\GROUP S\AD-GROUPS</if-src-dn>

</or>
<or>
<if-src-dn notrace="true"
op="not-in-container">ORGANIZATION\EUROPE\GERMANY\BRANCH\GROU PS\AD-GROUPS</if-src-dn>
</or>
<or>
...
</or>
</conditions>
<actions>
<do-status level="warning">
<arg-string>
<token-src-dn/>
<token-text xml:space="preserve">Operation vetoed by Block Group
Policy!</token-text>
</arg-string>
</do-status>
<do-veto/>
</actions>
</rule>

Since we have now more than 60 branches in europe, the policy is
getting longer and longer.

Now my question, isn't there any smarter and easier way to handle that?
Can I use wildcards like, "ORGANIZATION\EUROPE\*\*\GROUPS\AD-GROUPS" or
ORGANIZATION\EUROPE\...\...\GROUPS\AD-GROUPS?

Any help is appreciated.

Thank you in advanced.


--
digitweety
------------------------------------------------------------------------
digitweety's Profile: http://forums.novell.com/member.php?userid=89196
View this thread: http://forums.novell.com/showthread.php?t=414893