In our organization we have multiple AD domains that are trusted to each
other (say A.com, B.com etc.,). And we have Novell Identity manager
synchronizing users & groups of one of these domains (say A.com) with
Edir.

Let us assume A.com has users A1,A2,A3 and B.com has users B1,B2,B3.

A.com can have groups with members from both A.com and B.com because
they are trusted domains. Let us assume that a group say 'grp_A' resides
in A.com and has A1,A2,B1 as its members in AD side.

When we bring this group from AD to Edir for the first time, 'grp_A'
will only have A1,A2 as members as it doesn't have any idea about B1.

In such a scenario if we try to estabish a bi-directional
synchronization between Edir and AD, when the data flows from Edir to
AD: user B1 will loose his membership for 'grp_A' in AD.

Is there any ways to prevent this from happening? What we are trying to
achieve is that the sync process should ignore (and don't remove)
additional members of the group in AD during synchronization.


--
Sridhar_Annamalai
------------------------------------------------------------------------
Sridhar_Annamalai's Profile: http://forums.novell.com/member.php?userid=41750
View this thread: http://forums.novell.com/showthread.php?t=357763