Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Symantec DLP 10.5-11 AD integration question

Created: 23 Feb 2011 • Updated: 10 Mar 2011 | 3 comments
UFO's picture
This issue has been solved. See solution.

Quick question:

What will happen if AD group (security group) will be moved from one container to another [gid(sid .. ) for that group will not change, but LDAP address will change]? How will it affect DLP policies (groups) based on this AD group?

Comments 3 CommentsJump to latest comment

Keith Reynolds - ExchangeTek's picture

It sounds like in this case that you'd need to repoint your AD Group to the new location.  Since it's just a "named" group from the DLP system configuration standpoint, you could redefine it based on the new location without having to update the policies that use that AD Group.

~Keith

UFO's picture

Keith, thank you.

As I understand, DLP will not redefine the group automatically? Is there some Admin Guide, whatever, that describes the scenario? Or, else, did you have experience of such DLP behavior?
I was looking everywhere, but in vain...

Thank you in advance.

STS: DLP

Keith Reynolds - ExchangeTek's picture

I'm basing what I'm saying there purely on experience.  I don't see anything documented about this scenario either.  And while I've used AD Groups in client deployments, I have not been in the situation where that AD group has moved.

In short, I'm guessing here, but knowing what I know about the application, I'm doubtful that there's anything in there that would automatically (1) periodically validate the AD Groups that you have set up, and (2) search for the new location of that group and repoint it.  I'm quite certain that this new (relatively) feature in DLP isn't advanced to the point where it would do this.

So take my comment with a grain of salt, but I'd be willing to place a bet that your only recourse here is to reconfigure the group manually if it moves.  I've been working with DLP since 2006 (ex Vontu, ex SYMC services), so have a pretty good feel for these things if that helps.  Other than that, I'd say to open a case with Support for the question and get the "official" answer.  Sorry I don't have a definitive answer to give you here.

~Keith

SOLUTION