Changes in Active Directory group membership are not reflected in Encryption Management Server until hours after the change has been made. This has to do with Active Directory Optimization.
The Active Directory update frequency is set to 21,600 seconds(6 hours) by default, and might be disabled initially.
Encryption Management Server can be configured to lookup information with LDAP servers such as Active Directory or Novell eDirectory. The information in this article related specifically to Active Directory synchronization routines, other directory servers use a different mechanism. Various attributes related to a user are pulled from the directory server, including the DN for the user entry. The information can be synchronized with Active Directory periodically per settings on the Encryption Management Server to ensure that the most up-to-date information is available. This update frequency has been set at 21,600 seconds (6 hours) by default when this synchronization is enabled.