Setting up DGM as an exception to a policy to prevent false positive incidents from being generated for Endpoint users.

DLP 15.x, 16.x

Directory Group Matching is a way to match on large groups of senders and recipients (using lists of email addresses, IP addresses, IM names, usernames). DGM can also be used as inclusion or exception in a policy.  

There are a few things that need to be set correctly in order to make DGM exceptions work on the Endpoint.

1. If you want to match on usernames there has to be a system field that is set to Windows User.

2. In the file that you upload the username must be displayed with the domain qualifier or machine name first e.g.. DOMAIN\username or MACHINENAME\username.

3. If you do not put a column header of email in the upload file the DGM will not show on the choose Directory EDM list when you setup the exception.

NOTE: EDM, IDM, and DGM detection requires information to be sent to the Endpoint Server for processing.

Violations using EDM, IDM, or DGM can not be blocked on the Endpoint. They will be monitored only.  Be aware that this will add extra network traffic.

See What DLP Rule Conditions Will Cause Two Tier Detection