After configuring a content filtering rule with a user condition that specifies an Active Directory (AD) group on Exchange, you notice that the rule still applies, but the user condition does not appear to apply correctly.

For example If you configure a rule to look for the word "test" in the subject line of a message, and configure a user condition to say "Apply if the sender of the message is NOT in the list" and specify an AD group, then send a message with the word "test" in the subject line from a user that is a member of that AD group, the rule will apply. The expected behavior of this configuration is that the rule should not apply due to the user exemption.

If you collect a debugview log file as per this document 'How to Obtain a Debug Logs for Symantec Mail Security for Microsoft Exchange (SMSMSE)'  while reproducing the problem, you'll see an entry similar to the following:

[3484] ..\..\..\src\Server\SAVFMSESP\CFRuleEnginePrimer.cpp(693) :
[3484]  Debug Trace:  HRESULT=0x80070005 - Access is denied. 
 

The service account used by the SMSMSE service does not have appropriate DCOM permissions to evaluate AD group user conditions.

Add <service account> to the SMSMSE Admins group:

1. Open the services console (Start -> Run, services.msc)
2. Locate the 'Symantec Mail Security for Microsoft Exchange' service, right click, and select Properties.
3. Click the Log On tab
4. Verify the account specified under 'This account'. This will be referred to as <service account>.
5. Open Active directory users and computers (Start -> All Programs -> Administrative tools -> Active Directory Users and Computers)
6. Locate the group 'SMSMSE Admins' right click, and select Properties
7. Select the Members tab
8. Click Add....
9. In the 'Enter the object names to select (examples):" box, type SMSMSE Admins and click Ok
10. Restart the SMSMSE service.

Your content filtering rules should now apply AD group user conditions as expected.

Applies To

• The content filtering rule in question has a user condition that applies to an AD group. To verify if the rule meets this condition:

1. Open the Symantec Mail Security for Microsoft Exchange (SMSMSE) console.
2. Navigate to Policies -> Content Filtering rules.
3. Double click the content filtering rule that is not working as expected.
4. Select the Users tab.
5. If there are any groups defined in the Active Directory groups box, this condition is met.

• The SMSMSE service account is not a member of the SMSMSE admins group. To verify if this condition is met:

1. Open the services console (Start -> Run, services.msc).
2. Locate the Symantec Mail Security for Microsoft Exchange service, right click, and select Properties.
3. Click the Log On tab.
4. Verify the account specified under This account. This will be referred to as <service account>.
5. Open Active directory users and computers (Start -> All Programs -> Administrative tools -> Active Directory Users and Computers).
6. Locate the group SMSMSE Admins right click, and select Properties.
7. Select the Members tab.
8. If <service account> is not listed under Members the condition is met.