Searching using a Discovery Team requires endpoints that are configured the same and assigned to the Discovery Team to search a data set that will be distributed between the team members and the search will be load balanced between the team members if configured to do so.
Discovery Teams are Scheduled Tasks initiated from the Console where there are more than one endpoint client searching the same data set distributing the load of the search between the team members. The following linked user guide section explains the technical details of configuring a Discovery Team: http://www.identityfinder.com/Help/EnterpriseConsole/index.htm#3550.htm
The following explains configuring a Discovery Team search:
- Have a Discovery Team configured on the Console's>Admin>Discovery Teams screen.
- Create a simple Tag with only the Discovery Team members in it. This is so you can view the status of the team on the Console's Status screen without having to individually select the endpoints.
- Ensure that all the endpoints in the Discovery Team have the same System Policies applied to them and no other System Policies applied that would not be applied to all the team members.
- Create a System Policy with just the Remote Machine connection information in it and apply it to the Discovery Team's Tag and do not remove that endpoint from the Policy or remove that System Policy from the Console so future remediation actions can be performed on the remote location. This is for file searching using a Discovery Team. For database searching the db credentials should be in the Scheduled Task Policy that the Discovery Team search is run from.
- Create a Scheduled Task Policy with all the specifics of the search such as the Custom Folders you want searched to perform the Discovery Team Scheduled Task and configure the Discovery Team Scheduled Task in that Scheduled Task Policy. You do not add the endpoints to that Scheduled Task Policy, the Discovery Team Task itself will run the task using the team members.
If there are issues then add just one of the team's endpoints to the Scheduled Task Policy and then run a search task that is not using the Discovery Team to see if it searches properly. If the endpoint is not a server OS you can run the task as the Local Logged on User so you can view the Client while the search is running and then stop the search if it is searching correctly. Please ensure you have logging for locations enabled in the Policy. The following setting in the Policy can be configured to enable logging for locations searched:
If the endpoint machine is a server OS where it is connected to via RDP then you will need to run the task as the Local System account, in which case you will need to view the search logs to determine if the search is running properly and then kill the process in Windows Task Manager if it is running successfully. The search log can be found in the following folder on the endpoint machine:
XP/2003: %ALLUSERSPROFILE%\Application Data\Identity Finder\Logs\SystemSearch\
Vista/7/2008: %ProgramData%\Identity Finder\Logs\SystemSearch\
If that search is successful then remove the one team member endpoint you added for the step above and then configure the Discovery Team Search, ensuring that you configure the task to 'Perform distributed searching using all available team members' and if desired also 'Load balancing' as shown in the following linked user guide:
If the search is not successful then once the task completes perform a gather data of the endpoint from the console in the context of the Local System account and attach the results to this ticket: