Solved

coping with Active Dir nested groups and Identity Manager 2

Posted on 2006-07-19
5
590 Views
Last Modified: 2013-12-03
Hi there,

i am busy setting up our publisher channel to sync objects back into our edir using IM2 and am just testing what happens when nesting groups within AD..

Obviously IM picks this up as a change of membership and throws an error in the DStrace as follows

Status: Warning
Message: Code(-8011) Error processing reciprocal linking attribute (\tree\company\ou\adgroup#Security Equals): novell.jclient.JCException: modifyEntry -608 ERR_ILLEGAL_ATTRIBUTE

how do people cope with group nests when using identity manager? it does seem that it adds the object in to the group in edir but obviously it wouldnt operate as a nest.

is there anyway to veto out all nests and what do people do at migration time?
0
Comment
Question by:huziy
  • 2
5 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 17140264
"migration time?"  

Migration from AD to eDirectory?  That's handled with the Server Consolidation utility, not by Identity Manager.

Nested groups is an AD construct to get around its inherent design limitations.  It's illogical and cumbersome.  However, there should be a way to translate them, somehow, to an eDirectory structure.  Maybe it's covered in a more user-friendly fashion in IM3.

If you're migrating from AD to eDirectory and using IM2 as a sync tool during a gradual migration, I'd suggest re-modeling the group structures in AD to eliminate nested groups, unless you're actually hitting AD group membership limits and not using it as a convenience.

Hopefully, someone working directly with IM2 will post back.
0
 

Author Comment

by:huziy
ID: 17140680
Sorry we are not migrating to edir.. we have edir and are implementing AD along side edir

I will be using the current groups we have in edir and syncing them accross as Global groups. These then will be nested into Domain local groups in AD
0
 

Author Comment

by:huziy
ID: 17173601
i ended up creating a rule to place any new DL groups into their own OU in edir.. these can then be ignored in the edir environment. I noticed that if you look at the members of a DL group in edr you can see the other group which normally is impossible to do in edir.. (and has no function)

it seems to cause no problems and if you remove the membership in edir it replicates into AD
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 17399772
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
A Short Story about the Best File Recovery Software – Acronis True Image 2017
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now