Cheers father, I reliased it after hitting my head on it a few more
times. I should have posted back again to say I was being foolish.
I've changed it so entitlements are handling it so no conflict

Thanks

MC

> You are trying to control account disabled both by synchronization and
> by entitlement and when they conflict with each other the default
> policies are favoring the entitlement. You can change the policies that
> implement the entitlement so that they check both the entitlement and
> the value of the attribute (and maybe the location?) in making the

decision.
>
> --
>
> Father Ramon
>
>
> mike@nova.net.nz wrote:
> > Ok been playing further and I've found its because of the account

move.
> > So what happens is
> > 1) user disabled in NDS
> > 2) account disable sync's to vault
> > 3) account disable sync's to AD
> > 4) account in vault is moved to inactive OU (.ACTIVE.USER.VAULT moves
> > to .INACTIVE.USER.VAULT)
> > 5) Entitlements (AD account and Exchange account) run on AD
> > 6) account in AD re-enabled since original object in .active... is
> > nolonger there
> > 7) account enable sync's to vault
> > 8) account enable sync's to NDS
> >
> > If I disable step 4 it works fine and the account remains disabled in

AD,
> > vault and NDS as I want it too. Any help as too why?
> >
> > Ta
> >
> > MC