Hi Team,

We have a requirement to reconcile only few OU groups in Active Directory. But few additional groups are reconciling which are memberOf some accounts.

We need to reconcile only Application and Server OUs. Which is defined in  advanceGroupFilter. As observed, we are getting additional groups from Domain OU due to some users which we reconcile are having memberOf of Domain groups.

"advanceGroupFilter": {
"memberOf": {
"OU=Server,OU=Security Groups,DC=XXX": [
"(&(objectClass=group))"
],
"OU=Application,OU=Security Groups,DC=XXX": [
"(&(objectClass=group))"
]
}

Customer don't want to reconcile these additional groups which Saviynt is not managing. Please let us know, how we restrict these additional groups.