1. Location determinated by ICMP probing LogonServer (Domain controller).
2. If your files marked by tag, you can monitor/block/collect evidence during file copy process to removable media.
3. Evidence replicated in background by agent and probably arrives after event. Please check permissions (NTFS and Share) for Evidence folder. Usually group "Domain Computers" must have write permissions in both settings.
1. Has already been answered on the previous post.
2. Use Removable Storage Protection Rules to monitor file copy to Removable Storage devices.
3. Ensure that you provide Domain Computers with Write permission and the current logged in user with both Read and Write permissions (since HDLP performs a write operation when decrypting the file). e.g If you are logged on to the machine with your ID and you would like to view the Evidence files, ensure that your AD ID has Read/Write permissions on the NTFS Security Tab of the Evidence$ share.
Remember that Share permissions are different from File System (read NTFS) Security permissions.
Thanks for the replies with the answer to my earlier queries,
i have one small doubt on the Online\Offline policies, and i hope you would be able to give me a quick response as earlier..
I need to know if a customer without an AD installs DLP and wants offline policies, will it work?.... how can it be accomplished?
really appreciate your help so far, and excepting an answer to this aswell..
Without AD you will not be able to use the Online / Offline feature.