Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 641
  • Last Modified:

coping with Active Dir nested groups and Identity Manager 2

Hi there,

i am busy setting up our publisher channel to sync objects back into our edir using IM2 and am just testing what happens when nesting groups within AD..

Obviously IM picks this up as a change of membership and throws an error in the DStrace as follows

Status: Warning
Message: Code(-8011) Error processing reciprocal linking attribute (\tree\company\ou\adgroup#Security Equals): novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE

how do people cope with group nests when using identity manager? it does seem that it adds the object in to the group in edir but obviously it wouldnt operate as a nest.

is there anyway to veto out all nests and what do people do at migration time?
0
huziy
Asked:
huziy
  • 2
1 Solution
 
ShineOnCommented:
"migration time?"  

Migration from AD to eDirectory?  That's handled with the Server Consolidation utility, not by Identity Manager.

Nested groups is an AD construct to get around its inherent design limitations.  It's illogical and cumbersome.  However, there should be a way to translate them, somehow, to an eDirectory structure.  Maybe it's covered in a more user-friendly fashion in IM3.

If you're migrating from AD to eDirectory and using IM2 as a sync tool during a gradual migration, I'd suggest re-modeling the group structures in AD to eliminate nested groups, unless you're actually hitting AD group membership limits and not using it as a convenience.

Hopefully, someone working directly with IM2 will post back.
0
 
huziyAuthor Commented:
Sorry we are not migrating to edir.. we have edir and are implementing AD along side edir

I will be using the current groups we have in edir and syncing them accross as Global groups. These then will be nested into Domain local groups in AD
0
 
huziyAuthor Commented:
i ended up creating a rule to place any new DL groups into their own OU in edir.. these can then be ignored in the edir environment. I noticed that if you look at the members of a DL group in edr you can see the other group which normally is impossible to do in edir.. (and has no function)

it seems to cause no problems and if you remove the membership in edir it replicates into AD
0
 
ee_ai_constructCommented:
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now