AD-Sync enhancements

We want to sync our active directory server-objects into devolution-database and present them to our RDM-Users

a.) computer move in AD -> computer is not moved in Database - even on resync -> (would be nice if we can keep that in sync! [write a value if computer was created by sync script and which sync script -> if sync-script has enabled total-sync then every computer-object can be recognized and compared... )
a sync script should keep up the sync..
b.) access rights
we do have a 3 tier RBA concept

blue - these are the real domain admins
division-admins they are responsible for all sites under their influence
site-admin - responsible for one our more sites

if a new site is generated in AD -> the site is created by our sync script in devolution database -> someone has to set the permissions manually

b1.) let us script that! (create of security groups / create of roles) -> customize of access rights within a role
(e.g. 100 sites -> means clicking 600 times [all the checkboxes...]) -> script!
b2.) assignment of security groups to the tree (script enablement)
b3.) if we break it down and create multiple sync scripts -> assign access rights within what groups a sync script creates

some of this is coming in v 12 I guess

c.) call (sync) script(s) automatically outside of RDM

thanks!
best
marko