I'm hoping someone can help me with a failed veto as an event transform
policy on the sub channel of my AD driver:

this is what I'm trying to do...

I want to veto everything if an attribute of a user is not a certain value.

My policy so far is this:

Condition:
if class name equal case insensitive "user"
and
if source attribute "NetAccountType" not equal to case insensitive "TREE"

Action:
trace message ("NO TREE value, so veto")
veto


Should this work? Am I missing something?
If I disable the first condition and only use the source attribute test then
it works perfectly. The NetAccountType attrib only applies to a user class
so would I even need the class test?

As always, any and all help is appreciated.