Security Software

Two questions about mapping OID users to AD OU's.

1. Can DIP create new AD OU's dynamically?

2. How can I create one DIP mapping for users to take into account many AD OU's?

Our OID is very flat, but AD has many OU's. In our picture of the world as academic depts, our OU's == ERP Dept assigned, from a DB. So in theDB Import mapping, OID is made to look like, DB_DEPARTMENT: : : :ou: :organizationalunit

So OID is aware of the OU a user "should be" assigned in AD, but how do I translate that into a new dynamic OU on AD, and furthermore, how do I create a single mapping to accomodate users moving between those OU's without creating a DIP mapping for every single OU?

It seems I can use the "Connected Directory Matching Filter" in the DIP Profile (integration configuration of oidadmin) to find the user anywhere in AD, but the mapping wants a specific DN to land the user in...

My current experiment looks something like:

Relevant Profile stuff:
Connected Directory Matching Filter == SAMAccountName
OID Matching Filter ==modifiersname!=orclodipagentname=OIDtoADImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
employeeType=STAFF || employeeType=FACULTY

Relevant OIDtoAD.map stuff:
DomainRules
cn=Users,dc=usu,dc=edu:OU=Administered_OUs,DC=aggies:CN=%,OU=Administered_OUs,DC=AGGIES
AttributeRules
# Organizational Unit Mapping
ou: : :organizationalunit:ou: : organizationalunit

The DomainRules of course land everyone in the OU=Administered_OUs,DC=aggies, but I need it to create or modify dynamic OU's inside OU=Administered_OUs,DC=aggies. Then insert all the users in OU=[dynamicOU],OU=Administered_OUs,DC=aggies

Any thoughts or ideas?