This article explains how to create a DLP agent group based on the agent’s Active Directory Organizational Unit (OU).
This setup allows you to automatically group agents according to their OU membership in Active Directory.

Step 1: Create the Agent Attribute

Follow the steps below to create a new Agent Attribute that retrieves the OU information from Active Directory.

1. Browse to System > Agents > Agent Groups. Then click on "Manage Agent Attributes" in the top right corner of the Agent Groups screen.
2. Name the Agent attribute. For example, "Agent OU Membership"
3. Select Machine Domain.
4. Use the following syntax for the search filter:
   (&(objectCategory=Computer)(name=$AgentHostName$))
   
   
5. Use the following for Active Directory Attribute: distinguishedName

Sample Screenshot:

Click Save

On the next screen, click "Apply Changes"

Step 2: Create the Agent group based on the newly created Agent Attribute

• 1. Browse back to System > Agents > Agent Groups
  2. Click New
  3. Add a name for the group
  4. Use the Select Agent Attribute drop-down and select the Agent Attribute created in Step 1
  5. In the Value field, enter the LDAP path of one of the agents within the target OU, but replace the agent’s name with an asterisk (*). This indicates that any agent belonging to the parent OU will be included in this group. For the below example, any agents associated with the OU "Test" will be moved to the group "Agent OU Group."
  6. Example: CN=*,OU=Test,DC=Example,DC=com
     Sample Screenshot:
     
  7. Click Save
  8. On the Agent Groups screen, assign an agent configuration to the Newly created group

The DLP system will automatically assign this group to all agents that belong to the specified OU. The assignment will occur gradually as agents check in with the detection server.