Troubleshooting the issue when the group based policy fails to work on an individual endpoint.
Turn on the specific logger level for the group resolution service. User the sqlite tool (as described in KB TECH219080) against cg.ead under the agent installation directory and input the following SQL statement:
insert or replace into configuration values('Logging', 'UserGroupResolverLevel', 'str', 'FINEST');
Agent needs to be restarted for this to effect. The logger level can also be changed by the "change log level" agent management task through Altiris console. In that case, no agent restarting required.
Normally the log (edpa_ext*.log) shows the following texts if the group resolution succeeds. Otherwise there could be failure and error code recorded.
It would be useful to display what the agent has resolved for user group membership. User the sqlite tool against grp.ead under the agent installation directory and input the following SQL statement:
select * from usergroups;
The output is normally in the following format. Look for the particular user name (usually the logon user). If there's no such entry or the membership of that user is wrong, some errors should have happened in group resolution task. The error log should exist in edpa_ext*.log.