When synching an AD user group from the DLP Enforce Console, the sync fails with "Error: indexedDataStatus.ad_folder_not_accessible". The Enforce tomcat localhost logs contain:

SEVERE [com.vontu.profiles.manager.directoryconnection.DirectoryConnectionSourceIndexCreator] Protect Error 1017: One or more folders are not accessible in the active directory.

Release : 15.8

Cause 1:

The search is reaching the timeout period and the sync cannot complete.

Cause 2:

The sync cannot complete because there are too many objects that cannot be found and so it stops with the indexedDataStatus.ad_folder_not_accessible error.

Solution 1:

Perform the following steps on the Enforce Server:

1. Open the following file:

• Windows: Drive_letter:\Program Files\Symantec\DataLossPrevention\EnforceServer\version_number\Protect\config\Manager.properties
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/version_number/Protect/config/Manager.properties

2. Locate the com.vontu.manager.directorybrowser.timeout_ms property.

3. Increase the value of the property from 30000(default value) to 60000 or 120000.

4. Save the file.

5. Restart the Symantec DLP Manager Service.

6. Sync your AD user group in the Enforce Console again to see if the error goes away.

Solution 2:

Perform the following steps on the Enforce Server:

1. Open the following file:

• Windows: Drive_letter:\Program Files\Symantec\DataLossPrevention\EnforceServer\version_numbe\Protect\config\Indexer.properties
• Linux: /opt/Symantec/DataLossPrevention/EnforceServer/version_numbe/Protect/config/Indexer.properties

2. Add the com.vontu.profiles.directoryconnection.maxObjectNotFound property to the end of the file

3. Set the property to set the maximum number of objects to be skipped.

4. Save the file.

5. Restart the Symantec DLP Services.

6. Sync your AD user group in the Enforce Console again to see if the error goes away.