Having Identity Manager create groups in AD that are Universal, not Global (like the default behavior is) can be an issue.


In the Subscriber channel under the Creation Rule, create a new rule. I called mine “Create Groups as Universal.”

If class name = group, then set destination attribute value(“groupType”,class name=”Group”,”-2147483640″).

This now creates all groups as universal groups in AD. Just a little tip: if you use parent and child domains and want to have groups created, be universal so that you can add users cross-domain.

Note: This solution was tested in an environment with Netware 6.5 SP5 and IDM 3.0.


<description>Create Groups as Universal</description>
<if-class-name mode="nocase" op="equal">Group</if-class-name>
<do-set-dest-attr-value class-name="Group" name="groupType">
<token-text xml:space="preserve">-2147483640</token-text>
1 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 5 (1 votes, average: 4.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Jun 14, 2006
12:00 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow