We now have some groups in FIM. Both the ones created in FIM and those that come from the HR system.
We now need to configure FIM to export these groups to AD.
As discussed earlier, we now need to consider the
groupType attribute in AD.
We also need to consider if we have different needs depending on group type.
At The Company, they have decided that FIM should not delete security groups once created in AD. This is a common approach, since deleting a security group—and thereby its SID (Security ID)—might cause dramatic events, if the group is used for some kind of permission. Recreating a group with the same name will not recreate the SID and will not fix the permissions.
On the other hand, when talking about distribution groups, ...