Hi Alok Sarda

I'm using MCP 3.0.1 at Host "X" logged with user "A"

And follow this steps, one immediately after the previous:

1 - Add the user "A" tho a new AD group that are configured at MWG to control access to a specific web page;
2 - The result of "whoami /groups" shows the new AD group;

3 - Trying to access that specific web page the access are blocked;

4 - Looking at Rule Tracing Central I can see the access blocked and at Top Properties the new group do not figure at Authentication.Usergroups;

Reading your post I try to logoff/logon (twice) but o changes at Authentication.Usergroups.
After (about) 1h the the site was no more blocked and the new group becomes part of Authentication.Usergroups.

Seems that logoff/logon does not was sufficient to update this information.
In some cases, wait 1h are not acceptable.
Is there a way to force MCP to update these Authentication.Usergroups information? Maybe a command line...

Thank you!

To force a group refresh, run the following command line on the system while connected to VPN and authenticated to the domain. Recommend a reboot before continuing with actual work.

“klist -lh 0 -li 0x3e7 purge” and “klist purge”

Thanks friend!

Follow my tests...

whoami filtered results:

And "Member Of" at Active Directory

I add my user to a new group, used to grant access to some content at webgateway.

After this I logoff and logon and the result of whoami command shows my new group.

But when I try to access a service controlled by this group (Ex. web.whatsapp.com) it are blocked.

And looking at Rule Tracing central, on Top Properties, I can see that the new group are not listed at Authentication.Usergroups.

If I just wait some time (about 4 coffees...) just refreshing the screen, the access was grant.

I'm looking for a way to short this waiting time.

I suppose that Authentication.Usergroups property are updated by MCP.

Is the metadata handed to the McAfee agent first, and then relayed to MCP?  If that's the case, then I wonder if sending a McAfee Agent wakeup call to the system might speed up the MCP agent recognizing the change.

I have done dozens of wakeups from ePO and using Agent Monitor console to.
The group membership info was not updated.
If no logoff/logon I can wait all day and this info was not updated.

Seems that this info are extracted from the Windows local security profile, that are updated just after a logoff/logon, and after this, the Agent or MCP requires a time to refresh it.

I have done more tests...

14h29 - try to access eBay - blocked

14h30 - add my user to the AD group that grant eBay access

14h30 - logoff/logon - the result of whoami shows the new group

14h31 - try to access eBay - blocked

14h41 - try to access eBay - blocked

14h43 - try to access eBay - accessible

 Nothing was done at AD or Web Gateway after 14h30.

To force a group refresh, run the following command line on the system while connected to VPN and authenticated to the domain. Recommend a reboot before continuing with actual work.

“klist -lh 0 -li 0x3e7 purge” and “klist purge”