KB Article | Forcepoint Support

Problem Description

After making a change to a user in Active Directory, this change is not being recognized in the Forcepoint Security Manager. How can this change be recognized?


By default, any information Forcepoint User Service receives from the Active Directory is cached for up to three hours.

When changing a user's directory service account, Forcepoint typically does not immediately recognize the change.

Some examples of changes are as follows:
  • Adding a new group for a security policy
  • Moving a user from one group to another
  • Adding or removing a user entirely
To force User Service to recognize the changes to the user and group mappings, follow the steps below:
  1. Open the Forcepoint Security Manager.
  2. Click Web > Settings > Directory Services
  3. Under the User Service Cache section, click Clear Cache
Note In large environments, it is possible for user-based filtering to slow and users not receive correct policies for a brief period while recreating the directory service cache.

User-added image
Important Using the Clear Cache button to clear the User Service cache does not clear the Filtering/Policy cache.  As a result, changes will not take place immediately.

To have policy changes take effect more quickly after clearing directory service cache.
  1. Make a policy change.
  2. Enable Use Most Restrictive Policy in the management console by selecting Settings > Filtering > Use Most Restrictive Policy > Save and Deploy.
  3. Immediately afterwards, reverse your change. Disable the Use Most Restrictive Policy option and click Save and Deploy again

User Service Cache; filtering cache; user; group; ad; change; configuration; administration; directory services; 3 hour

Article Feedback

Thank you for the feedback and comments.