When VMware Identity Manager is upgraded to version 3.1 or later, the group membership sync behavior depends on when the group DN has been configured in the service.
When you upgrade to VMware Identity Manager 3.1 and later, new groups that you add to the service after the upgrade sync the members when that group is entitled to a resource or when that group is added to an access policy rule. The subsequent syncs of this group following the older behavior.
Groups that were added prior to upgrading to 3.1, continue to sync group members as they are added to the group even if the group is not entitled to resources or used in an access policy rule. That is, the pre-3.1 behavior is retained for existing groups and users.
If a group exists before the upgrade, and the DN configuration is modified, the group sync profile is changed to the new behavior. Group names sync to the directory. Group member sync when the group is entitled to a resource or when the group is added to an access policy rule.
Even when entitlements are removed from a group, the users in the group continue to sync in subsequent syncs.
If a local group is created in the VMware Identity Manager service that includes Active Directory groups and the local group is entitled to resources, users that belong to the Active Directory groups in the local group are not synced to the directory as part of the entitlement. To sync users that are in the Active Directory groups, entitle the Active Directory group directly to the resources.