Active Directory user group resolution failed
search cancel

Active Directory user group resolution failed


Article ID: 208831


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention Data Loss Prevention Core Package


You may receive the error "Active Directory user group resolution failed for different reasons."

1. When agents are connecting via VPN they are not in contact with the Active Directory server when the system first boots up and the agent is initialized.

2. If Agent User Groups are failing to resolve the configured Group or User accounts.

3. If a custom User Group attribute is created the Endpoint Agent edpa log may show, "Failed to resolve attribute : "<custom attribute name>". Error code : -2147016646 , Error description : The server is not operational."



DLP 15.8+


1. DLP agents re-initialize that process when a network change is detected. Sometimes the underlying connection to the AD server can take longer than expected.

2. If Agent User Groups are configured for specific user accounts and the user no longer exists in AD, then the user group resolution will fail.

3. The Active Directory User attribute name does not match exactly to the actual AD ldapDisplayName.


1. In the agent advanced settings configuration locate the label named is      The default value is 30 seconds. Increase this value until the issue is resolved [The range for this setting is 30 to 600 seconds.]

2. Go to Manage > User Groups, select the User Group that is failing, remove the user accounts that no longer exist in AD and Save.

3. Ensure that the Active Directory attribute name for the Custom Attribute matches exactly to the AD ldapDisplayName.