By default Symantec Encryption Management Server looks at the UserCertificateBinary attribute in LDAP for certificates associated with the user. This is used for S/MIME encryption as well as Certificate Enrollment. If this functionality is not needed, or is causing problems, such as multiple (unused) certificates being harvested from Active Directory, the behavior can be disabled. Once disabled, user certificates from Active Directory will no longer be harvested and associated to user accounts on Symantec Encryption Management Server.
As Symantec Encryption Management Server does not have an option to toggle this setting in the UI, to disable this functionality, please contact Symantec Encryption Support who can help modify this setting on the back-end configuration.