Data Loss Prevention

 View Only
  • 1.  Symantec DLP 10.5-11 AD integration question

    Posted Feb 23, 2011 09:41 AM

    Quick question:

    What will happen if AD group (security group) will be moved from one container to another [gid(sid .. ) for that group will not change, but LDAP address will change]? How will it affect DLP policies (groups) based on this AD group?



  • 2.  RE: Symantec DLP 10.5-11 AD integration question

    Posted Feb 28, 2011 11:55 AM

    It sounds like in this case that you'd need to repoint your AD Group to the new location.  Since it's just a "named" group from the DLP system configuration standpoint, you could redefine it based on the new location without having to update the policies that use that AD Group.

    ~Keith



  • 3.  RE: Symantec DLP 10.5-11 AD integration question

    Posted Mar 01, 2011 10:12 AM

    Keith, thank you.

    As I understand, DLP will not redefine the group automatically? Is there some Admin Guide, whatever, that describes the scenario? Or, else, did you have experience of such DLP behavior?
    I was looking everywhere, but in vain...

    Thank you in advance.



  • 4.  RE: Symantec DLP 10.5-11 AD integration question
    Best Answer

    Posted Mar 02, 2011 01:36 PM

    I'm basing what I'm saying there purely on experience.  I don't see anything documented about this scenario either.  And while I've used AD Groups in client deployments, I have not been in the situation where that AD group has moved.

    In short, I'm guessing here, but knowing what I know about the application, I'm doubtful that there's anything in there that would automatically (1) periodically validate the AD Groups that you have set up, and (2) search for the new location of that group and repoint it.  I'm quite certain that this new (relatively) feature in DLP isn't advanced to the point where it would do this.

    So take my comment with a grain of salt, but I'd be willing to place a bet that your only recourse here is to reconfigure the group manually if it moves.  I've been working with DLP since 2006 (ex Vontu, ex SYMC services), so have a pretty good feel for these things if that helps.  Other than that, I'd say to open a case with Support for the question and get the "official" answer.  Sorry I don't have a definitive answer to give you here.

    ~Keith