I know this thread is kind of old, but attempting to do something similar.
I have a situation where the client has a forest with 6 different domains. There is a main domain and some 5 other domains that are separate companies but still apart of the same forest. A user is created in AD based upon the company they will be in, but their AD ID needs to be added to groups in another domain. So they are created in their primary domain, and are added groups in the secondary domain. So I had all the groups in the AD forest switched to universal instead of Global so this can happen and I created some jobs and scripts to provision the user in their own primary domain and assign some local groups as well as be placed in distribution groups in the secondary domain; the secondary domain is always the the same for all users. I did this by first DIRECT assigning the ONLY priv of the secondary domain then assigning the value in their primary ACCOUNTAD1 attribute to the ACCOUNTAD2 attribute, then provisioning the groups (priv:groups in a role), then doing everything in reverse (unassigning the ACCOUNTAD1 attribute from ACCOUNTAD2 attribute), then DIRECT unassigning the ONLY priv of the secondary domain. Works great.
Now here is my issue. I get a request to automate the transfer of a user from one domain to another based upon a trigger from HR. Because I DIRECTLY added then DIRECTLY removed the secondary domains ONLY priv. I redid that process to remove the distribution groups from the secondary domain, but before I can DIRECTLY reassign the secondary domains ONLY priv, the modify AD User plug in kicks off and fails. This is baffling me. Why is the secondary domain triggering anything when the ONLY Priv is not even assigned? I know I am missing something small? Would the fact that the secondary AD's groups are still assigned cause the trigger?
