HOW TO: Match all users from a Organizational Unit (OU) to an Internal User Policy with PGP Universal Server 3.0 and above


Article ID: 181115


Updated On:


Symantec Products




This article describes how to Group users based on regular expressions for Directory Synchronization on PGP Universal Server 3.0 and above.


For information on Matching based on OU for PGP Universal Server 2.10 through 2.12, please see the following KB:

PGP Universal Server allows the use of regular expressions (regex) to match attributes for user groups on the server.


If the user object wanted for a Group is located in OU=OrgUnit,DC=pgptest,DC=dom, the following attributes would be used in the Group Settings:

Attribute: distinguishedName
Value: ^.+,OU=OrgUnit,DC=pgptest,DC=dom$



/ This value (previously required for PGP Universal Server 2.x) is not needed for the regex pattern in this example.  The PGP Universal Server 3.0 and above will assume these characters on its own once the "Regular Expression" box is checked in the Group Settings.
^ Defines the beginning of the string.
.+ Specifies that any number but at least one character can be at this location.
,OU=OrgUnit,DC=pgptest,DC=dom Signifies that this string must be present in the value.
$ Specifies this is the end of the string.

Therefore the regex attribute search '^.+,OU=OrgUnit,DC=pgptest,DC=dom$ ' matches all strings that end with the the string ',OU=OrgUnit,DC=pgptest,DC=dom' and have at least one character before this string.


To enter this information into Group Settings:


1. Click on Groups on PGP Universal Server

2. Click on the customized Group in question, then click on the Group Settings button.

3. Click on Membership and check the box "Match Consumers Via Directory Synchronization".

4. Under the "All LDAP Directories", choose "If any of the following apply".

5. Enter the appropriate values as specified above for Attribute and Value.

6. Check the box "Regular Expression", otherwise the Value will be interpreted literally, and not as a pattern.