The current version of the client connector and unified agent for Windows should cache Active Director (AD) group information. This assumes that the client connector/unified agent was installed and that workstation was connected to the domain, or it has connected to the domain if the workstation was remote when the client was installed. Please the additional information below for further details.
Another option is to enable Captive Portal. See portal.threatpulse.com/docs/sol/Content/Deployment/Concepts/AuthDetail/about_captport_co.htm for details.
Blue Coat's ThreatPulse Client Connector relies on the underlying operating system to provide user and group information. Windows has the ability to cache logons so if a user has a laptop that is removed from the domain, the user can still logon to the laptop without the need to contact the domain. This caching mechanism does not cache the logged on user's group information. It only caches the user's logon credentials. If a user logs on and is able to contact the domain upon logon, the group information will be stored on the computer. At that point, the Client Connector is able to use that group information obtained by the OS. If that computer is a laptop and the laptop goes wireless, the group information remains cached for a period of time and group based policy continues to be enforced. If that laptop is rebooted and is not connected to the domain, then none of the group information is available to the Client Connector . The latest version of the client connector/unified agent has the ability to cache group information. This cached group information can be used for policy decisions while the workstation is remote. The one requirement is the workstation/laptop needs to connect to the domain at least once so it can get a copy of the groups. If the user goes remote and his/her group membership changes while they are off the network, they will need to connect back to the AD infrastructure so their groups that are cached are updated.