Rich Megginson wrote: > I think it's ok. Administrator is a "pseudo" user - it's only used > for Windows domain administration. I don't think it follows the > schema for a user. Does the Administrator entry have a full name or a > surname? There are other pseudo users that fall into this category, > such as the kerberos kdc user. You could probably fill in the missing > attributes and make it sync over, but it doesn't really matter unless > you want to use the Administrator entry on unix. True (in fact, the special users in AD are not supposed to get sync'ed at all), but I'm puzzled about the group member being sync'ed. By design, only group members that are also already present in the peer directory should be sync'ed. Therefore, if things are working to plan, the Administrator user should not be sync'ed, and neither should any group member that has its DN.
