於三，2005-10-26 於 08:44 -0600，David Boreham 提到：

Rich Megginson wrote:

> I think it's ok.  Administrator is a "pseudo" user - it's only used 
> for Windows domain administration.  I don't think it follows the 
> schema for a user.  Does the Administrator entry have a full name or a 
> surname?  There are other pseudo users that fall into this category, 
> such as the kerberos kdc user.  You could probably fill in the missing 
> attributes and make it sync over, but it doesn't really matter unless 
> you want to use the Administrator entry on unix.

True (in fact, the special users in AD are not supposed to get sync'ed 
at all),
but I'm puzzled about the group member being sync'ed. By design, only
group members that are also already present in the peer directory should
be sync'ed. Therefore, if things are working to plan, the Administrator user
should not be sync'ed, and neither should any group member that has its
DN.

Thanks for all of these answers. But I still have a problem with it. I try to add some users in
my AD and fill their property values, such as full name, surname. Then I invoke sync process
again and check my directory tree in my FDS. It still have no user sync from AD. What's wrong
with it? Do I miss something important?

Regards
Joe