Encryption Management Server users are automatically moved from their previous group to the Everyone group. However, the users are still members of an Active Directory security group that should result in them being matched to a specific Encryption Management Server group.
In the admin console, under Reporting / Logs the Groups log will show this warning for each of the affected users where username is the user name:
LDAP-00000: could not locate consumer "username" (eb90251f-2270-45b4-a09b-6e4aa4ead8c4) at the previously discovered DN; searching LDAP directories
Each user that is affected cannot be found in any of the LDAP Directories that Encryption Management Server points to.
Clearly, because the user was previously a member of an Encryption Management Server group, at one time the user was able to be found in Active Directory.
Periodically, Encryption Management Server runs a regrouping task that checks users can be found at the location specified by their LDAP DN (Distinguished Name). The Distinguished Name is one of the attributes stored for each user in the Encryption Management Server database. This attribute is initially set at enrollment time and subsequently during periodic regrouping.
If a user cannot be found at the previously discovered Distinguished Name location, Encryption Management Server will search for them in Active Directory.
Users who cannot be found in Active Directory will be assigned to the Everyone group.
Check whether the user can be found in Active Directory by using the
validate_enroll.sh script attached to article TECH228315.
If the user cannot be found using this script, Encryption Management Server will not find them when the regrouping task is run and therefore it will move them to the Everyone group.
The most likely explanation as to why a user cannot be found is that they are not within a Base DN (Distinguished Name) that is searched by Encryption Management Server.
The Base DNs that are searched are listed in the Encryption Management Server admin console under Consumers / Directory Synchronization / Directory_Name / Base Distinguished Names where Directory_Name is the name of the LDAP Directory.
To resolve the issue, do one of the following:
When either of these actions has been performed, run the
validate_enroll.sh script to ensure that the user can be found. If the script cannot find the user, neither will periodic regrouping.