In our organization we have multiple AD domains that are trusted to each
other (say, etc.,). And we have Novell Identity manager
synchronizing users & groups of one of these domains (say with

Let us assume has users A1,A2,A3 and has users B1,B2,B3. can have groups with members from both and because
they are trusted domains. Let us assume that a group say 'grp_A' resides
in and has A1,A2,B1 as its members in AD side.

When we bring this group from AD to Edir for the first time, 'grp_A'
will only have A1,A2 as members as it doesn't have any idea about B1.

In such a scenario if we try to estabish a bi-directional
synchronization between Edir and AD, when the data flows from Edir to
AD: user B1 will loose his membership for 'grp_A' in AD.

Is there any ways to prevent this from happening? What we are trying to
achieve is that the sync process should ignore (and don't remove)
additional members of the group in AD during synchronization.

Sridhar_Annamalai's Profile:
View this thread: