search cancel

How to troubleshoot issues with AD rules/exceptions on the endpoint

book

Article ID: 175906

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

You notice that an AD rule or exception doesn't work as expected on the endpoint.

Resolution

Firstly check if the following applies to your problem Article Id: 176039 - Recipient rules or exceptions do not work on the DLP endpoint agent when sending e-mails via Outlook Web Access (OWA)

After eliminating that, proceed as follows: 

1. Check that the mentioned user is a member of the exception or rule

2. Check the corresponding agent configuration to make sure the test use case is not excluded by filters in the agent configuration settings

3. Check (in the endpoint agent folder on the machine) if the policy (ps.ead), agent config (cg.ead) and group config (grp.ead) has been updated on the agent since the last changes.

4. If possible, reproduce the issue with the latest agent version (latest agent-side hotfix).

5. If available, check if the issue occurs on network discover, network prevent or network monitor level.

6. If all of above seems to be fine and the issue still persists:

 a)  Obtain a list of the user's groups assignment by running CMD command: gpresult /r >c:\temp\gpresult.txt or the powershell command: Get-GPResultantSetOfPolicy -ReportType Xml -Path "c:\reports\gpresult1.xml"

b)  Collect the results from the group DB on the endpoint by running the commands below (requires the vontu_sqllite3.exe tool to be present in the agent folder):

Vontu_sqlite3.exe -db=grp.ead -p=[tools password]
.header on
.mode csv
.once output.csv
.dump
.once users.csv
select * from users;
.once usergroups.csv
select * from usergroups;
.exit

c) Compare results of above two outputs with policy. If there is a discrepancy troubleshoot from there. If they all contain the expected user:

  1. Enable finest logging
  2. Reproduce the issue
  3. Collect all above output details
  4. Contact Symantec support