https://community.checkpoint.com/t5/Endpoint/Missing-sync-of-AD-security-group-from-endpoint-server/m-p/149022#M5660 <P>Greetings all !</P><P>&nbsp;</P><P>I use a security group in my AD to pinpoint workstations&nbsp;eligible for FDE.&nbsp; Thus I have rule,&nbsp; where an AD security group is the dynamic "target"&nbsp; -&nbsp;This has worked out perfectly so far.</P><P>Alas (otherwise i wouldnt be writing this post) the "link" seems broken to the AD security group.<BR /><BR />I can see worksstations in my AD - but when looking into the deployment rules - the reflection of the group are missing several members .</P><P>As i understand - using security group for deployment secures dynamic updates - where virtual groups lack that ability.</P><P><BR />&nbsp;I have other rules depending on the AD connection - whích works fine - but those are based on virtual groups instead of Security groups.<BR /><BR />I have tried removing said group and reapply it - to no avail.<BR /><BR />I feel confident the connection between server and AD is at least partial working - since i can browse my AD from endpoint server.<BR /><BR />Hope this makes sense !<BR /><BR />Any ideas?<BR /><BR /></P><P>Kind regards</P><P>&nbsp;</P><P>Peter</P> Thu, 19 May 2022 12:56:42 GMT Peter_Bjeldbak 2022-05-19T12:56:42Z https://community.checkpoint.com/t5/Endpoint/Missing-sync-of-AD-security-group-from-endpoint-server/m-p/149022#M5660 <P>Greetings all !</P><P>&nbsp;</P><P>I use a security group in my AD to pinpoint workstations&nbsp;eligible for FDE.&nbsp; Thus I have rule,&nbsp; where an AD security group is the dynamic "target"&nbsp; -&nbsp;This has worked out perfectly so far.</P><P>Alas (otherwise i wouldnt be writing this post) the "link" seems broken to the AD security group.<BR /><BR />I can see worksstations in my AD - but when looking into the deployment rules - the reflection of the group are missing several members .</P><P>As i understand - using security group for deployment secures dynamic updates - where virtual groups lack that ability.</P><P><BR />&nbsp;I have other rules depending on the AD connection - whích works fine - but those are based on virtual groups instead of Security groups.<BR /><BR />I have tried removing said group and reapply it - to no avail.<BR /><BR />I feel confident the connection between server and AD is at least partial working - since i can browse my AD from endpoint server.<BR /><BR />Hope this makes sense !<BR /><BR />Any ideas?<BR /><BR /></P><P>Kind regards</P><P>&nbsp;</P><P>Peter</P> Thu, 19 May 2022 12:56:42 GMT https://community.checkpoint.com/t5/Endpoint/Missing-sync-of-AD-security-group-from-endpoint-server/m-p/149022#M5660 Peter_Bjeldbak 2022-05-19T12:56:42Z https://community.checkpoint.com/t5/Endpoint/Missing-sync-of-AD-security-group-from-endpoint-server/m-p/149039#M5661 <P>I would suggest to contact TAC to resolve this issue !</P> Thu, 19 May 2022 14:05:14 GMT https://community.checkpoint.com/t5/Endpoint/Missing-sync-of-AD-security-group-from-endpoint-server/m-p/149039#M5661 G_W_Albrecht 2022-05-19T14:05:14Z https://community.checkpoint.com/t5/Endpoint/Missing-sync-of-AD-security-group-from-endpoint-server/m-p/149229#M5672 <P>Do you have an AD Scanner running?<BR />Secondly, the AD Scanner only checks in a frequency of 120 Minutes (TAC told me there is no shorter time span possible) for any changes in AD and syncs that into the CP DB.</P><P>This means that if you change a AD security group and add a Client - it can be up to 120min Delay in worst cases until CP notices that ..&nbsp;</P><P>&nbsp;</P><P>BR ME</P> Mon, 23 May 2022 09:04:08 GMT https://community.checkpoint.com/t5/Endpoint/Missing-sync-of-AD-security-group-from-endpoint-server/m-p/149229#M5672 Michi 2022-05-23T09:04:08Z https://community.checkpoint.com/t5/Endpoint/Missing-sync-of-AD-security-group-from-endpoint-server/m-p/149265#M5676 <P>SOLVED !!<BR /><BR />So - found out my ad scanners was "frozen" ... not progressing - but neither failing (the Gui suggested the scan was in progress - but no progress was to be seen)<BR /><BR />After contacting suppport - I ended up with the below suggestion.<BR /><BR />1. Enter SSH to the Endpoint Management Server.<BR />2. cpstop<BR />3. cd $UEPMDIR/engine/uepm-jms-data<BR />4. rm *<BR />5. cpstart<BR /><BR />Which did the trick - my scanners once again pulls data every 5 minutes - JOY !!<BR /><BR />kind regards</P><P>Peter</P> Mon, 23 May 2022 14:08:30 GMT https://community.checkpoint.com/t5/Endpoint/Missing-sync-of-AD-security-group-from-endpoint-server/m-p/149265#M5676 Peter_Bjeldbak 2022-05-23T14:08:30Z