OnPostModify (via DirSync) catching update operations as deletes

So I've got a weird one I'm hoping somebody can help me figure out.

I have a powershell script to watch for changes via DirSync and onPostModify validate the values of the managedBy attribute.

I've attached the script to a policy and selected the "Handle changes from DirSync control".

A shortened version of my script looks like so:

function onPostModify($Request)

{

     # I only care about changes that happened outside of ARS

     if ($Request.Parameter("RequestSource") -eq $Constants.EDST_MOD_SOURCE_AD ) {

          # Only process requests for groups

          if ($Request.Class -ne "group") {return}

          # Only process changes to the managedBy attribute

          $managedByRequestItem = $Request.GetPropertyItem("managedBy",$Constants.ADSTYPE_DN_STRING)

          if ($managedByRequestItem -ne $null)

          {

               if ($managedByRequestItem.ControlCode -eq $Constants.ADS_PROPERTY_UPDATE)

               {

                    # Validate the new value here

               }

          }

     }

}

The problem is that when a user changes the value via ADUC the request seems to appear as a DELETE operation with the old value in the request. I never see an UPDATE request or the new name anywhere, unless I query the object.

Here is a sample of the Request when I turn on debugging. The red text is the old value.

<------------------- $Request  XML ------------------------>

<?xml version="1.0" encoding="utf-16"?>

<ModifyRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" dn="CN=groupa,OU=Managed Groups,DC=contoso,DC=com" xmlns="urn:schemas-quest-com:ActiveRolesServer">

  <Attributes>

    <Attribute name="managedBy" operation="Delete" type="String">

      <Values>

        <Value>CN=smith1,OU=users,DC=contoso,DC=com</Value> 

      </Values>

    </Attribute>

    <Attribute name="ADsPath" operation="Replace" type="String">

      <Values>

        <Value>LDAP://dc1.contoso.com:636/CN=groupa,OU=Managed Groups,DC=contoso,DC=com</Value>

      </Values>

    </Attribute>

  </Attributes>

  <Controls>

    <Control id="13">

      <Values>

        <Value>dc1.contoso.com</Value>

      </Values>

    </Control>

  </Controls>

</ModifyRequest>

<------------------- $Request  XML ------------------------>

Am I missing something here? How do I catch the update request and check the new value?

I figured I'd ask here before I opened a ticket with support.