Permissions are not propagated to Active Directory if applied to a Managed Unit.
Permissions for the objects that were already members of the MU when Access Template was applied are synchronized to Active Directory.
However, for the objects added to MU later the permissions are not synchronized to Active Directory.
Running the Sync of Permissions to Active Directory built-in scheduled task manually does not resolve the issue.
By default, the automatic synchronization of permissions applied at Managed Unit level to Active Directory is disabled for performance optimization reasons.
Synchronize permissions manually in the Advanced Details Pane | Native Security tab.
Right-click the entry that is marked as not synced (a red square) and select Resync from Quest One ActiveRoles Security.
To enable automatic synchronization, follow the steps below.
Note: the change is immediate and a service restart is not required.
The permissions will be synced by the built-in scheduled task Sync of Permissions to Active Directory next time it runs as scheduled.
Aslo, you can run the task manually at any time:
Configuration | Server Configuration | Scheduled Tasks | Builtin
NOTE: It is recommended to use Dynamic Groups instead of Managed Units to assign and synchronize permissions to Active Directory due to the performance impact that may occur in Active Roles when enabling the Sync to Native Security option from the Managed Unit. This is currently being reviewed under Enhancement Request 223222.