Troubleshooting endpoint group based policy

book

Article ID: 160777

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

Troubleshooting the issue when the group based policy fails to work on an individual endpoint.

Resolution

Logging

Turn on the specific logger level for the group resolution service. User the sqlite tool (as described in KB TECH219080) against cg.ead under the agent installation directory and input the following SQL statement:

insert or replace into configuration values('Logging', 'UserGroupResolverLevel', 'str', 'FINEST');

Agent needs to be restarted for this to effect. The logger level can also be changed by the "change log level" agent management task through Altiris console. In that case, no agent restarting required.

Normally the log (edpa_ext*.log) shows the following texts if the group resolution succeeds. Otherwise there could be failure and error code recorded.

06/03/2009 17:00:41 |  2332 | FINER   | UserGroupResolver | Create group resolution task for:enforce\agill.
06/03/2009 17:00:41 |  2332 | FINER   | UserGroupResolver | Impersonated as user [ENFORCE\AGill].
06/03/2009 17:00:45 |  2332 | FINER   | UserGroupResolver | Done impersonation. Reverted to self.
06/03/2009 17:00:45 |  2332 | FINER   | UserGroupResolver | User [ENFORCE\AGill] groups resolved as:
 CN=Adam Gill,OU=London,DC=enforce,DC=engdlp,DC=symantec,DC=com
 CN=CERTSVC_DCOM_ACCESS,CN=Users,DC=enforce,DC=engdlp,DC=symantec,DC=com
 CN=Domain Users,CN=Users,DC=enforce,DC=engdlp,DC=symantec,DC=com
 CN=London Dist Group,OU=London,DC=enforce,DC=engdlp,DC=symantec,DC=com
 CN=Users,CN=Builtin,DC=enforce,DC=engdlp,DC=symantec,DC=com

Persisted user group membership

It would be useful to display what the agent has resolved for user group membership. User the sqlite tool against grp.ead under the agent installation directory and input the following SQL statement:

select * from usergroups;

The output is normally in the following format. Look for the particular user name (usually the logon user). If there's no such entry or the membership of that user is wrong, some errors should have happened in group resolution task. The error log should exist in edpa_ext*.log.

ENFORCE|AGill|CN=Adam Gill,OU=London,DC=enforce,DC=engdlp,DC=symantec,DC=com
ENFORCE|AGill|CN=CERTSVC_DCOM_ACCESS,CN=Users,DC=enforce,DC=engdlp,DC=symantec,D
C=com
ENFORCE|AGill|CN=Domain Users,CN=Users,DC=enforce,DC=engdlp,DC=symantec,DC=com
ENFORCE|AGill|CN=London Dist Group,OU=London,DC=enforce,DC=engdlp,DC=symantec,DC
=com
ENFORCE|AGill|CN=Users,CN=Builtin,DC=enforce,DC=engdlp,DC=symantec,DC=com

You can turn on debugging logging for the LDAP query string:

 

For V11:

In ManagerLogging.properties

 

 com.vontu.enforce.directory.domain.DefaultLdapInterface.level = FINE

  

An example query string for “John Smith”:

 

 

 

(&(|(name=*John*Smith*)(mail=*John*Smith*))(!(objectClass=computer)))

 

 

For V10 or 10.5:

com.vontu.enforce.directory.domain. LdapInterfaceImpl.level = FINE