-
Title
AD Object Merge does not preserve group membership / Distribution Groups are missing members afte -
Description
The AD Object Merge process does not preserve group membership for connector created contacts that are members of distribution groups. So the end result of running the AD Object Merge (where Active Directory distribution groups contains contacts) is that the contacts are removed and the distribution group is missing members.
-
Cause
This is by design. Individual members of groups are stored in AD as distinguished names, and the merge process alters the DNs, thus breaking membership.
-
Resolution
If connector created contacts are part of distribution groups, the AD Object Merge process will erase these contacts from the membership list. This is because the connector created contacts are deleted during the merge process. Furthermore, the newly mail enabled security objects have a different DN than the contacts they were merged with. Group membership lists are stored in AD as DNs, and the merged objects will have a different DN than the now deleted connector contacts.
The above is a process related issue that can be solved with the follows:
1. Do not modify group memberships in AD after provisioning distribution groups the first time. Then, after the AD object merge process, run the provisioning again. This will use the previous (and unchanged) groups to provision file to re-populate the membership. The Groups to provision process searches active directory for primary SMTP proxy, and not DN. If these proxies are not modified in AD, then membership will be restored after the merge process.
2. When a change of membership is made in AD, reflect this change manually in the groups to provision file. This ensures that the abk file is up to date, and the provisioning process can be run after the merge process, without affecting membership.