Changes in Active Directory group membership take hours to update Encryption Management Server

book

Article ID: 222563

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Changes in Active Directory group membership are not reflected in Encryption Management Server until hours after the change has been made.

Environment

Symantec Encryption Management Server 10.5 and above.

Resolution

Encryption Management Server synchronizes with Active Directory every 21,600 seconds (6 hours) by default. To confirm this setting, ssh to the server and run the following command:

# grep 'periodic-scan-interval' /etc/ovid/prefs.xml
        <periodic-scan-interval>21600</periodic-scan-interval>

Note that in a clustered environment only one cluster member will perform the synchronization with Active Directory each time it runs.

If you wish to always synchronize more frequently you can edit the prefs.xml file and change the periodic-scan-interval to a lower value. After making the change, restart the regrouping service:

# pgpsysconf --restart pgpgroupd

If you wish to update the group membership manually, run this command:

# pgpgrouptool --update-group-membership

If regrouping is still running slowly you can edit the prefs.xml file and change this setting from the default of false to true:

        <group-membership-optimization>false</group-membership-optimization>

You can also change this setting from the default of 7200 seconds to a value between 60 and 172800:

        <group-membership-sync-interval>7200</group-membership-sync-interval>

After making the change, restart the regrouping service:

# pgpsysconf --restart pgpgroupd