CGW group restrictions are not excluding all of the users (NETIQKB72437)

  • 7772437
  • 02-Jul-2010
  • 02-Jul-2010



Security Manager 6x


If a particular user that is a member of a group in the CGW restriction list accesses a file that is being monitored by a CGW filter, that user will show up in a CGW forensic report or a real time event as having accessed the file. Even though the user did indeed access the file, the CGW filter should not be reporting on any users that belong to groups in the restriction list.


There are 2 possible workarounds

Change the primary group for the affected users to something else. 

1) Go to Active Directory user and computers
2) Go to the OU where the user account is located
3) Right click user and select properties
4) Choose the ?member of? tab
5) Decide which group will be the new primary (must be a global group)
6) Highlight the group and select the ?set primary group? button

Or   Explicitly list these users in the "user restrictions" section of the filter definition.

1. Go the Security Manager configuration wizard\change guardian\configure change guardian for windows filters
2. Go to the filter group user restrictions tab
3. Add the affected users


CGW does not know if a user belongs to a group if it is the user?s primary group.   To determine if CGW knows about the user group membership of that particular user, run the following command.

DSQUERY group "groupDN" | DSGET group -members >>textfile.txt 

Note: to find the group DN you can use the following commadn:  dsquery group -name group_name|dsget group -DN

The DSGET command has the same issue so if the resulting text file does not contain the user in question, then CGW will not recognize it either.

Additional Information

Formerly known as NETIQKB72437

This will be fixed in a future release