Unexpected ADSGroup Update process error: "Access is denied"
说明
Active Directory (AD) Synchronization scope only includes AD accounts that are for Employees (Identities). There are a number of errors pertaining to 'group_membersalldn_Set_Remove on ADSGroup' objects which should not touch group memberships in AD. It appears that Identity Manager (1IM) is attempting to remove members that are excluded from the AD Sync from an AD Group.
原因
The "Retain groups if temporarily disabled" option is NOT selected in the Account Definition for the applicable Employees. When Employees are temporarily deactivated the associated ADSAccount will lose its group membership, if it is Full managed via the Account Definition.
解决办法
If the Full Managed ADSAccount associated with an Employee should retain its group memberships when the Employee is temporarily deactivated, ensure the "Retain groups if temporarily disabled" option is selected:
For more information please refer to the Administration Guide for Connecting to Active Directory:Editing manage levels.