I want to realize the following:

I have a special OU (OU=Portal.OU=GRUPPEN.O=PKR.T=ROOT) in my private tree
which contains some user groups. These groups are distributed correctly into
my second NDS. Each user in the entire path of the organization
(O=PKR.T=ROOT) which is member any group in this special OU should be
created in my second NDS. All other users must not exist in the second NDS,
so when a user is not a member of any group in this special OU anymore it
must be deleted in the second NDS.

I have tried to do it in this way:

I have placed an event transformation policy:

If Classname equal User
and if source attribute group membership not equal (source-DN)
"\ROOT\PKR\GRUPPEN\Portal"
then
Veto()

Unfortunately this does not work because the rule does every time a veto.

How do I have to do it?

Thank you much for you help,

Dietmar