My driver to AD is authoritative for creating users in a specific OU-subtree
in the domain.
Lets say: ou=org,dc=domain,dc=com below this "base" ou's are created for the
org structure, users are created in those lower level OU's.
Example: CN=User1,OU=dep1,OU=org,DC=domain,DC=com

When matching, I want to match in the entire domain.
How can I detect (and send an e-mail), if the match was found in, or outside
my base container.

While writing this down, basically the question is where to write a policy
to test if a match was found, and how to get from the query result the
object that was found.
I can see the information is available in the query result (snippet below).

I want to do this in both channels of a AD driver.
Some dirxml script examples ware greatly apreciated. (IDM 3.5.1)


Matching Rule
<description>Users: match on LoginID</description>
<comment xml:space="preserve">Objects are matched anywhere in the AD, not
just the relative position in the hierarchy.</comment>
<if-class-name mode="case" op="equal">User</if-class-name>
<do-find-matching-object scope="subtree">
<token-parse-dn dest-dn-format="ldap" length="2" src-dn-format="ldap"
<token-global-variable name="gcv-user-placement"/>
<arg-match-attr name="DirXML-ADAliasName">
<arg-value type="string">

[12/24/08 10:02:38.291]:IV2AD ST: Applying schema mapping policies to
[12/24/08 10:02:38.291]:IV2AD ST: Applying policy:
[12/24/08 10:02:38.292]:IV2AD ST: Mapping class-name 'user' to
[12/24/08 10:02:38.292]:IV2AD ST: Resolving association references.
[12/24/08 10:02:38.294]:IV2AD ST: Query from policy result
[12/24/08 10:02:38.293]:IV2AD ST:
<nds dtdversion="1.1" ndsversion="8.7">
<product asn1id="" build="20070823_095000"
<contact>Novell, Inc.</contact>
<instance class-name="User" event-id="0"
<status event-id="0" level="success"/>
[12/24/08 10:02:38.295]:IV2AD ST: Match found:
[12/24/08 10:02:38.295]:IV2AD ST: Action: do-break().