Include Remote Groups During Synchronization
You can configure whether to consider universal groups on unmanaged endpoints during synchronization. This setting is useful in an environment in which not all domains of an Active Directory forest are managed by Identity Manager.
imgc
- You can include remote groups during synchronization with Provisioning Manager but not with the Identity Manager User Console.
- This section applies to Identity Manager only.
You can configure whether to consider universal groups on unmanaged endpoints during synchronization. This setting is useful in an environment in which not all domains of an Active Directory forest are managed by Identity Manager.
For example, in a forest that has three domains, only two domains are managed. An account has one universal group in all the three domains. In this example, the account's policy says that the account should not belong to any group.

To allow groups in unmanaged domains to be a part of synchronization, set the ADS_MANAGE_GROUPS environment variable. By default, this variable is not set and the feature is turned off.
- If you do not set the ADS_MANAGE_GROUPS environment variable, synchronization ignores groups in unmanaged domains:
- When you check the account synchronization, the groups in the managed domains are flagged but the groups in the unmanaged domains are not considered.
- When you synchronize the account, the managed groups are removed from the user and the unmanaged groups remains unchanged.
- If you configure the ADS_MANAGE_GROUPS environment variable, synchronization searches the global catalog to find any remote universal groups that the account is a member of:
- When you check the account synchronization, all three groups are flagged.
- When you synchronize the account, all three groups are removed from the account.
ADS_MANAGE_GROUPS Environment Variable -- Consider Groups in Unmanaged Domains When Synchronizing
The ADS_MANAGE_GROUPS environment variable defines whether the synchronization operation considers universal groups in unmanaged domains.
This environment variable has the following value:
xy
- x:Defines whether the synchronization operation searches the global catalog. The value ofxcan be 0 or 1:
- 0: (Default) The synchronization operation queries the local catalog only. It does not consider universal groups in unmanaged domains.When x is set to 0, theyvalue has no effect.
- 1: Synchronization queries the global catalog to allow it to consider groups in unmanaged domains.
- y:Defines which domains the synchronization operation considers.
- 0: Synchronization considers groups in both managed and unmanaged domains.
- 1: Synchronization considers groups in managed domains only.
If you change the value of this environment variable, restart Computer Server for the variable to take effect.