Provide a feature for Crowd to always re-evaluate group memberships in Active Directory with Incremental Sync

Environment

1. Microsoft Active Directory
2. Two or more directories defined in Crowd, each with Incremental Sync enabled
3. Each directory has a Base DN of OU=Users,DC=example,DC=com
4. Each directory has an empty Group DN (i.e, groups can come from anywhere below the base DN, and are available to both directories)
5. The first directory has a UserDN set to OU=Finance
6. The second directory has a UserDN set to OU=Marketing
7. A user, test exists in Finance
8. A group, SomeGroup exists in the Base DN, and is available to both directories
9. The test user is a member of this group

Steps to reproduce

1. Sync the directories - the test user will appear in the directory pointing to Finance
2. Move the test user to the Marketing OU
3. Sync the directories again

Expected Results

1. The membership for SomeGroup should be present in the second directory (that points to Marketing)

Actual Results

1. The membership for SomeGroup is not present in either directory

Investigation

An incremental sync against Active Directory checks the uSNChanged attribute of each object. If the object has not changed, it is not updated in an AD Sync. When a user is moved, there isn't an update to the group directly to point to that user's new location. AD is doing under-the-hood changes to that groups' membership that does not trigger an update to uSNChanged.

Impact

The loss of memberships can be painful to diagnose and is unexpected in this configuration.

Is this a bug? / Workarounds

No, because Crowd is working from what AD provides. Performing a full synchronisation, or updating the group (then performing an incremental sync) will produce the required results. This only needs to be done once after the move, subsequent incremental syncs will function correctly.

What is the suggested enhancement?

Provide an option in Crowd for it to always re-evaluate group memberships during an incremental sync. While this may be a performance hit (and it should be labelled as such) we should provide the option to ensure memberships are consistent and correct after users are moved in the directory.