How to setup an attribute that will apply an agent configuration to an agent group if the user is part of an AD group.

book

Article ID: 192920

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

Symantec Data Loss Prevention (DLP)

Trying to setup an attribute that will apply an agent configuration to an agent group if the user is part of an AD group.

 

For example

If the user is a member of the DLPAdmins AD group, The agent should be applied to the group.

Custom agent attribute:

Search Filter:

(&(objectCategory=Person)(objectClass=User)(sAMAccountName=$LoggedinUser$))

 


AD Attribute:

memberOf

This gives  the list of all groups that the user is a member of. 
When the filter is applied to the group, it doesn’t apply. 
Is it because the group is looking for an exact match of just the DLPAdmins group instead of the output showing ALL groups?  
How can a filter be set up so that it looks to see if the user is a member of any of the groups, and then applies?

 

Agent group filter:

CN=DLPAdmins,OU=Administrative,OU=Groups,DC=PROD 

 

Also tried just using DLPAdmins.

Environment

Release : 15.1

 

Resolution

The group is looking for an exact match of just the DLPAdmins group instead of the output showing ALL groups.

To solve it, use wildcards when specifying the Group. 
So in this case use:

*CN=DLPAdmins,OU=Administrative,OU=Groups,DC=PROD*

(Note the asterisks on both ends of the string.)

This will allow it to find the group within the entire string returned by the query.