That tends to cause confusion for DLP and will cause the rules to hit and miss on the excluded users.
To ensure it works properly, you should have a single UAG with All Domain Users and your Excluded defined as well. This will also benefit as you can then create a block rule for the UAG and then a separate monitor rule for a new UAG with an include for your Excluded.
UAG - Everyone: include all domain users, exclude excluded users
UAG - Elevated: include excluded users
Block rule - UAG - Everyone
Monitor rule - UAG - Elevated
thats what I was afraid you where going to say :-(
So I basically have two UAG that have to be updated every time I add a new excluded user
It sounds more painful than it is and is a better solution in the long term.
do you think its a bad idea to have a 3rd rule that always has everyone included just for monitoring to make sure you don't accidentally leave someone out or is that just to much double reporting ?
If you want to ensure you have everyone, just use the group "everyone" instead of "domain users". Also ensure that local users have been added.
I would think that if you had an additional rule and user assignment, it would just be more unwanted events that you'll wind up ignoring.
just adding the everyone group, does that keep me from having to LDAP sync all the different domains or would I have to pull the everyone from each domain ?
in the UAG I mean
It's been a while since I've had to deal with multiple domains and trusts within DLP. If I recall, each "Everyone" group is tied to its own domain as seen in the path "example.com/Configuration/WellKnown Security Principals/Everyone" and the definition "Everyone (example.com)".