I have implemented declarative rules for managing a specific group from a source forest to target forest. I have successfully added users to the group by modifying the source group and having them sync to the target group membership.

even with it working I was seeing errors that require attribute was missing "membershipLocked" and after reviewing documentation and blogs I added it to the inbound attribute flow on the soruce & target connectors.  It is set to "false".

Now I am getting permission errors on the Add to membership on the target.  Any suggestions?

Thanks,Stu

Troubleshooting this issue indicated that the error is caused by my target group being a PROTECTED group as it is a member of the Domain Admins group.  

what is the best way to handle managing a group by FIM when it is protected and AD automatically disables inheritance and marks AdminGroup = 1?

Should I assign the required MA account permissions directly on the target group?

-Stu