Issue
If using group membership as a user filter (see example below), any new users created and added to this group before the profile runs its initial sync will get picked up as in scope. If, after the initial sync, you add an existing user object to this group but do not update the user in order to increment the USN attribute on the user object, then they will not get synced in the subsequent runs of the profile.
Cause
This is due to the way Active Directory updates user USN's. When a profile runs it notes the last user USN record, so it knows where to start the next sync from.
When you add a user to a group, active directory does not update the user USN so unless there has been any other changes to the account, when the profile next runs, the user object will have lower USN than what is stored for the profile so the object will not get picked up as in scope.
Resolution
If you require users to be immediately picked up when using a group membership, you will need to ensure that you also trigger a different change to the user object in addition to adding that user to the group, in order to increment the USN value on the user object. This will ensure the sync picks up the user object in scope on the next run.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center