How to setup Identity Manager as the authoritive source for a subset of Active Directory (AD) group memberships so that if Identity Manager does not have a record of the user having the AD group, it will automatically remove the account from the AD group during synchronization.
In Identity Manager synchronization properties, there is only the following options for "objects only in target system":
Either option will not result in Identity Manager removing the invalid group membership from the AD account.
The functionality to remove objects from the AD during synchronization is not built-in in version 6.1.2. There is a possible workaround to delete objects/memberships in AD by ad-hoc jobs, but if the plan to do a mass-deletion please take note that it is highly risky and can create a disaster in AD. The idea would be to build the next step after the AD full sync. This step will run a "handleobjectcomponent - delete" task on the selected entries in ADSAccountInADSGroup table.
High level overview of the solution:
a) Add a generation condition:Value = $NamespaceManagedBy$ = "VISYNC" and $PC(ConfigName)$ = "AD Sync - delete memberships"
Note: Condition will only be generated when synchronization starts.
b) Add at the end of the new process a "handleobjectcomponent - delete" task on the selected entries in ADSAccountInADSGroup table.
Note: "Where" clause for this task should be e.g.: all entries added during the last fullsync (FullSyncState='I' and FullSyncDate should be also checked) and "CCC_DeleteAllowed@ADSGroup" = true.
If the configuration: "AD Sync - delete memberships" is run, the new process will be generated. All existing memberships in AD for these specific groups will be added to the Identity Manager (FullSyncState@ADSAccountInADSGroup='I'). The last step in the process will delete such memberships from Identity Manager and from AD. The most important thing is to recognize properly which memberships should be deleted (to avoid unintended deletion of other memberships). The idea is to recognize newly added memberships in Identity Manager and delete them in Identity Manager and AD after full sync. This is only a workaround for version 6.1.2. In version 7.0, the requirement is nicely implemented.