Active Directory user group exclusion in DLP policy is not working
search cancel

Active Directory user group exclusion in DLP policy is not working

book

Article ID: 170685

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

Data Loss Prevention (DLP) policies with Active Directory (AD) user groups added as exceptions to policies are not working, and are still creating incidents.

You may not see errors in the DLP Enforce Overview page.

Localhost log shows the following errors:

Thread: 78 WARNING [com.vontu.profiles.manager.directoryconnection.LdapIndexSearchObject] Received null objectClasses
Thread: 78 SEVERE [com.vontu.profiles.manager.directoryconnection.UserGroupEntryReaderCreator] Unable to retrieve the following directory group entry: ou=IT Infrastructure,ou=Information Technology,ou=***_Users,dc=***,dc=***,dc=***
Cause:
org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: simple bind failed: Domain.***.***.***; nested exception is javax.naming.CommunicationException: simple bind failed: domain.***.***.*** [Root exception is java.net.SocketException: Connection reset]
org.springframework.ldap.CommunicationException: simple bind failed: Domain.***.***.***; nested exception is javax.naming.CommunicationException: simple bind failed: Domain.***.***.*** [Root exception is java.net.SocketException: Connection reset]
javax.naming.CommunicationException: simple bind failed: Domain.***.***.***
java.net.SocketException: Connection reset
org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: simple bind failed: Domain.***.***.***; nested exception is javax.naming.CommunicationException: simple bind failed: Domain.***.***.*** [Root exception is java.net.SocketException: Connection reset]

Cause

Policies were being downloaded and accepted by the DLP servers, but the added AD user group was not indexed correctly.

Resolution

Remove the AD user group from the policy exception. Then re-create the directory server group and add it to the policy exception.

See Configuring policy exceptions

See Configuring the Recipient based on a Directory Server Group condition