Detection is not working for DLP User Groups that index the Domain Users AD Security Group


Article ID: 184622


Updated On:


Data Loss Prevention


When indexing the Domain Users AD Security Group from within a DLP User Group, very few users to no users will be added to the index. This might be observed by the fact that detection or exception conditions in your policy are not working correctly for users in that group.


There will be no error messages in the Enforce Console during or after indexing the User Group. There will also be no error messages during detection either. However you might notice that the localhost log shows zero or few records indexed.



This issue is caused by the fact that the Enforce server queries the member LDAP attribute of the Group that was added to the DLP User Group. When AD returns the value of that attribute, it does not return the list of users who have that group as their primary group. It only returns the members listed on the member attribute of the group. However, in Active Directory Users and Computers if you were to look at the Members tab for that group you would see those users. This is because AD does the work of populating that list with users whose primary group that is.


Do not reference the Domain Users Security Group from a DLP User Group. Any users whose primary group is Domain Users will not be indexed by Enforce. Instead add users to a separate security group and reference that group from the DLP User Group. In addition you can also point the DLP User Group to the individual AD user or an OU(Organizational Unit) that contains that user.

For example, in order to index the user below from a DLP User Group, you would need to add the Engineering AD group as that user is a member of that group. However if you were to add the Domain Users group, it would not index that user because Domain Users is that user's primary group.

User's Primary Group