Basically I have written rules that move users to/from AD Organizational
Unit containers when ever the NDS user OU attribute changes. If you OU
change you basically now work for a different part of the University; for
security I want to remove the user from all domain security groups

I am trying to do a for-each on the readonly memberOf attributes. to feed a
remove-dest-attr member from each group .

The memberships come accross but the rest just dies. No errors and the rest
of the rules are not processed.

- any help is apprecieated.

Below is a copy of the rule and portion Remote loader level 3 trace to

<description>Placement Dest OU is Changing - remove User from Domain
<if-local-variable name="OU-Changing" op="available"/>
<if-class-name op="equal">User</if-class-name>
<token-dest-attr name="memberOf"/>
<do-remove-dest-attr-value class-name="Group" name="member">
<token-local-variable name="current-value"/>
<arg-value type="string">

part of the level 3 trace on the remote loader.
<product version="3.0.1" asn1id="" build="20040720_1203"
instance="\TT7\JMUT\MDSET\Active Directory">AD</product>
<contact>Novell, Inc.</contact>
src-dn="CN=publicjq,OU=CoB,OU=ACD,OU=JMUma,DC=JMUTestA D,DC=jmu,DC=edu"
class-name="user" event-id="0">
<attr attr-name="memberOf">
<value type="dn" association-ref="f9d42df41655b8408b1fc3e9c5e253d9"
naming="true">CN=test-grp2,OU=Groups,OU=JMUma,DC=JMUTestAD,DC=jmu,DC=edu </value>
<value type="dn" association-ref="6cf3fcf928af9344b869229c41183d0b"
naming="true">CN=test-grp1,OU=Groups,OU=JMUma,DC=JMUTestAD,DC=jmu,DC=edu </value>
<status level="success" event-id="0"/>
DirXML: [02/07/06 16:20:03.85]:
DirXML Log Event -------------------
Driver = \TT7\JMUT\MDSET\Active Directory
Thread = Subscriber Channel
Level = success
DirXML: [02/07/06 16:20:54.59]: ADDriver: Publisher Poll
DirXML: [02/07/06 16:21:54.59]: ADDriver: Publisher Poll