Synchronizing Group Membership to Active Directory
Novell Cool Solutions: Question & Answer
Reader Rating 
Q:
In eDirectory, User objects have the attribute "Group Membership" to track the groups they belong to, while Group objects have the attribute "Member" to track their users.
In Active Directory, the attributes are "memberOf" for Users and "member" for Groups, or so we would think. The attribute memberOf is actually a convenience attribute that can be read but not set. Trying to set or modify this attribute results in an error.
A:
To synchronize group membership, synchronize just the "Member" attribute of Groups in eDirectory to the "member" attribute of groups in Active Directory. "Group Membership" and "memberOf" will be taken care of by their respective directories.
Note: In eDirectory the attributes "Member", "Equivalent To Me" for Groups and "Group Membership", "Security Equals" for Users are usually changed in tandem (tools such as Console One change the value of "Equivalent To Me" when a user is removed or added to a Group.)
The set of rules provided for Active Directory drivers with NSure Identity Manager 2.0 has a publisher Command transform that clones the changes to "Member" to "Equivalent To Me". As with "Group Membership" it is not necessary to include rules to deal with "Security Equals".
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com