cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
nashcoop
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 15

MCP Agent group membership info

I'm curious if somebody can provide me a detailed explanation regarding how the MCP agent gathers AD group membership information from a system that the agent is running on.  I assume AD doesn't communicate that information directly from the AD server to the MCP agent, rather the MCP agent is referencing an existing Microsoft file that is already stored somewhere on the computer.  Is that a correct assessment?   Thanks

14 Replies
aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 15

Re: MCP Agent group membership info

Hi,

Hope you are doing well.

 

McAfee Client Proxy sends group information to the proxy it is communicating to.


Whenever MCP has been installed on an endpoint, the user group information gets synchronized with Active AD Server based on following circumstances,

1)When MCP is started
2)User performs Logoff and Logon the machine(ctrl+alt+del)
3)Every one hour


So, The GroupCache Manager in MCP is responsible for checking the connectivity with AD server and updating endpoint's group list which is further used by MCP to form and send X-SWEB-AuthGroups header towards Proxy Server.

If the AD server is not reachable then MCP sends current available groups on the machine. That is, It performs similar process like "whoami /groups" and collects current available groups from machine.

 

To check the groups of a user one can run the command "whoami /groups" or "gpresult /R /SCOPE USER":


Below is an sample example:-

>whoami /groups

 

GROUP INFORMATION

-----------------

 

Group Name

============================================

Everyone

BUILTIN\Administrators

BUILTIN\Users

BUILTIN\Certificate Service DCOM Access

BUILTIN\Pre-Windows 2000 Compatible Access

NT AUTHORITY\REMOTE INTERACTIVE LOGON

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

NT AUTHORITY\This Organization

LOCAL

VEGAS\Internet Relaxed Users <------------- INTERESTED GROUP

VEGAS\Group Policy Creator Owners

VEGAS\Domain Admins

VEGAS\Enterprise Admins

VEGAS\Schema Admins

VEGAS\Denied RODC Password Replication Group

 

 

Regards

Alok Sarda

Re: MCP Agent group membership info

Hi Alok Sarda

I'm using MCP 3.0.1 at Host "X" logged with user "A"

And follow this steps, one immediately after the previous:

1 - Add the user "A" tho a new AD group that are configured at MWG to control access to a specific web page;
2 - The result of "whoami /groups" shows the new AD group;

3 - Trying to access that specific web page the access are blocked;

4 - Looking at Rule Tracing Central I can see the access blocked and at Top Properties the new group do not figure at Authentication.Usergroups;

Reading your post I try to logoff/logon (twice) but o changes at Authentication.Usergroups.
After (about) 1h the the site was no more blocked and the new group becomes part of Authentication.Usergroups.

Seems that logoff/logon does not was sufficient to update this information.
In some cases, wait 1h are not acceptable.
Is there a way to force MCP to update these Authentication.Usergroups information? Maybe a command line...

Thank you!

Pierre @ Weg
nashcoop
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 15

Re: MCP Agent group membership info

To force a group refresh, run the following command line on the system while connected to VPN and authenticated to the domain. Recommend a reboot before continuing with actual work.

“klist -lh 0 -li 0x3e7 purge” and “klist purge”

Re: MCP Agent group membership info

Thanks friend!

 

Follow my tests...

whoami filtered results:

Screenshot from 2020-04-22 09-47-27.png

And "Member Of" at Active Directory

Screenshot from 2020-04-22 09-50-08.png

I add my user to a new group, used to grant access to some content at webgateway.

Screenshot from 2020-04-22 09-52-33.png

After this I logoff and logon and the result of whoami command shows my new group.

Screenshot from 2020-04-22 10-15-28.png

But when I try to access a service controlled by this group (Ex. web.whatsapp.com) it are blocked.

And looking at Rule Tracing central, on Top Properties, I can see that the new group are not listed at Authentication.Usergroups.

Screenshot from 2020-04-22 10-22-09.png

If I just wait some time (about 4 coffees...) just refreshing the screen, the access was grant.

Screenshot from 2020-04-22 11-26-46.png

I'm looking for a way to short this waiting time.

I suppose that Authentication.Usergroups property are updated by MCP.

Pierre @ Weg
nashcoop
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 15

Re: MCP Agent group membership info

Is the metadata handed to the McAfee agent first, and then relayed to MCP?  If that's the case, then I wonder if sending a McAfee Agent wakeup call to the system might speed up the MCP agent recognizing the change.

Re: MCP Agent group membership info

I have done dozens of wakeups from ePO and using Agent Monitor console to.
The group membership info was not updated.
If no logoff/logon I can wait all day and this info was not updated.

Seems that this info are extracted from the Windows local security profile, that are updated just after a logoff/logon, and after this, the Agent or MCP requires a time to refresh it.

Pierre @ Weg

Re: MCP Agent group membership info

I have done more tests...

 

14h29 - try to access eBay - blocked

14h30 - add my user to the AD group that grant eBay access

14h30 - logoff/logon - the result of whoami shows the new group

14h31 - try to access eBay - blocked

14h41 - try to access eBay - blocked

14h43 - try to access eBay - accessible

 Nothing was done at AD or Web Gateway after 14h30.

 

Pierre @ Weg
dadialla
Level 8
Report Inappropriate Content
Message 9 of 15

Re: MCP Agent group membership info

Hello, 

We're facing the same issue in our organization, reading this topic we decide just to wait, but after an entire weekend the situation is the same (of course, restarting the computer, severals log off / log on)

Any sugestion to force MCP in order to re-check the AD groups?

Thank you
nashcoop
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 15

Re: MCP Agent group membership info

To force a group refresh, run the following command line on the system while connected to VPN and authenticated to the domain. Recommend a reboot before continuing with actual work.

“klist -lh 0 -li 0x3e7 purge” and “klist purge”

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community