BUT, membership for groups does not flow at all (i.e. i cannot provision membership for user in the child domain into groups in its parent domain) What does "does not flow at all" mean? Have you updates staged in the connector space that don't flow? Cheers, MarkusMarkus Vilcinskas, Knowledge Engineer, Microsoft Corporation

I'll second Markus's questions... and also: Are you using a single MA for all domains in the forest? Cross-forest group membership approaches wouldn't apply here, as foreignSecurityPrincipals are an inter-forest thing only.

Hi All, I have configured a my FIM to import groups from a database and to automatically generate criteria based groups in the the Portal (this works perfectly well). I have criteria based group is the portal. However, my AD architecture presents some challenges. My groups exist in parent domain of a forest, and my users exist in a child domain. I can provision the users and the groups into the correct domains. BUT, membership for groups does not flow at all (i.e. i cannot provision membership for user in the child domain into groups in its parent domain) Anbody got any ideas.. I was pondering that I may need to follow the cross-forest provisioning scenario.. but not convinced. Thanks.. Oh and I have already configured the forest configuration, all the domain configurations and associated the domains with the forest configuration. I also have created a criteria based set for all domains in the forest.