Showing results for 
Search instead for 
Did you mean: 
Level 7

DLP 3.0 - User Assignment Groups and Active Directory


I have a question regarding User Assignment Groups as part of DLP Device Control (in ePO 4.5) and I need to know how this integrates/works with Active Directory.

I have a working Device Control solution, where I have device rules set up and then use the user assignment group to define how have access/blocked to the device. If I add a single AD user to the User Assignment Group I have created, apply the policy and test it then it works a treat! But when I want to add an AD group (list of users) into the User Assignment Group and add the user in AD, then go back and update the policy and then test - then the update does not appear to happen!

Is there a way that the User Assignment Group can be updated, to reflect the latest changes to this group (so that updates that have been added to the AD group are reflected to be added to the User Assignment Group aswell)?

I want to be able to manage my users through AD groups (add/delete etc.) and then for this to be reflected in DLP, so that the users will have the correct access to the device.

Really hope someone can help me out.


0 Kudos
2 Replies
Level 9

Re: DLP 3.0 - User Assignment Groups and Active Directory

It uses LDAP.  All of the integration is done through standard Microsoft API calls.

The dialog box that pops up is a standard windows call.   I would test one of the built in AD groups to make sure it's working at all.

I've seen issues in the past with groups but never with a single AD user working.

0 Kudos
Level 7

Re: DLP 3.0 - User Assignment Groups and Active Directory


Thanks for info.

I have done some additional testing and it appears that the AD user group is applied after about 1 hour (after I have added/removed users from the group), so it does appear to work.

However I was wondering if there is a setting in DLP / ePO that is able to configure it to syncronizing more often? As I would ideally want to be able to add users to an AD group and then for the settings to be applied to the users within minutes.

0 Kudos