You may receive the error "Active Directory user group resolution failed for different reasons."

1. When agents are connecting via VPN they are not in contact with the Active Directory server when the system first boots up and the agent is initialized.

2. If a custom User Group attribute is created the Endpoint Agent edpa log may show, "Failed to resolve attribute : "<custom attribute name>". Error code : -2147016646 , Error description : The server is not operational."

DLP 15.8+

1. DLP agents re-initialize that process when a network change is detected. Sometimes the underlying connection to the AD server can take longer than expected.

2. The Active Directory User attribute name does not match exactly to the actual AD ldapDisplayName.

1. In the agent advanced settings configuration locate the label named is ServerCommunicator.CONNECT_DELAY_POST_WAKEUP_OR_POST_VPN_SECONDS.int      The default value is 30 seconds. Increase this value until the issue is resolved [The range for this setting is 30 to 600 seconds.]

2. Ensure that the Active Directory attribute name for the Custom Attribute matches exactly to the AD ldapDisplayName.