This KB article explains how frequently the Endpoint Prevent agent queries the AD server to resolve logged-on user groups for group-based conditions in DLP policies.

The Endpoint Agent queries the AD server based on the following triggers:

• The edpa process starts.

• A user logs into the system.

• Every 7 days (by default) if the agent is continuously running. This interval is configurable in the Advanced Agent Settings via the GroupResolution.DAYS_DATA_STALING.int property. For more details, refer to the Advanced Agent Settings documentation.
  Advanced Agent Settings

Connection Failures & Retry Logic

If the Endpoint Agent cannot reach the AD server at the 7-day mark, it will retry daily. These retry attempts occur at the exact same time of day as the last successful connection.

Example: If the last successful connection occurred at 9:00 AM on Monday, the agent will next attempt to connect at 9:00 AM the following Monday. If that attempt fails, it will retry at 9:00 AM on Tuesday, 9:00 AM on Wednesday, and so on, until a connection is successfully established.

Startup Behavior & Offline Fallback

If the Endpoint Agent cannot reach the AD server at startup, it reads the local grp.ead cache file, located by default in the C:\Program Files\Manufacturer\Endpoint Agent directory.

This often occurs for VPN users, as the edpa process startup or user logon typically happens before the machine establishes its secure network connection to the AD server. In this scenario, the agent falls back to the grp.ead file at startup and will not attempt a network refresh until the 7-day mark (or subsequent daily retries).

Worst-Case Scenario

If the grp.ead file does not exist and the Endpoint Agent cannot connect to the AD server, the agent will treat the user as if they belong to no groups.