Ran across a curious behavior, and I'm wondering if I'm doing something wrong?
The initial configuration (from a consultant) came with an AD MA with a single outbound attribute flow "member => member" for groups. (Member does not flow in from AD, either.) There is also an outbound sync rule with a small number of persistent flows, including "member => member". The sync rule basically works because I can create a group in the portal and AD MA will create a corresponding group. Further, if I change something with another tool (say, change a group's displayName via Powershell) FIM picks up on that and changes it back using the outbound sync rule.
A synchronization preview, however, always shows "Not applied" for the rule's member flow, and "Applied" for everything else.
I removed the AD MA attribute flow for member, and now the synchronization preview says "Applied" for the member flow. The problem is that the membership in the AD group is never updated! Unlike displayName, if I change the membership using an outside tool (ADUC), FIM synchronization will never change it back. And if I create a new criteria-based group in the portal, a corresponding group in AD is created, but members are never added. "View members" in the portal lists members, and the MV object's members match.
I am not using deferred evaluation; and just to make sure, I let things run in this state overnight in my QA system. The AD group's membership never gets in sync with FIM.
Do I really have to specify an attribute flow for member in the MA rather than use a sync rule?
Running FIM 2010 R2. Thanks in advance, -Les