It is taking hours for changes to a user's Security Group membership in Active Directory to be reflected in the user's Symantec Encryption Management Server Group membership.

Note that when regrouping starts, the following entry is logged to the Reporting / Logs / Groups log in the admin console:

GROUPPERIODIC: Starting periodic regrouping of all consumers

In release 3.4.1 MP2 and above, when regrouping completes, the following entry is logged:

USERQUEUE: Completed periodic regrouping of all consumers

By default, Encryption Management Server sychronizes with Active Directory 6 hours (21,600 seconds) after the previous regrouping has completed.

Encryption Management Server 3.3 and above.

Regrouping can take many hours if some or all of the following conditions are true:

1. There are tens or hundreds of thousands of internal user accounts in Encryption Management Server.
2. Active Directory contains tens or hundreds of thousands of accounts.
3. The connectivity between Encryption Management Server and the Active Directory domain controller server is very slow.
4. The Active Directory domain controllers are overloaded.
5. Encryption Management Server is pointing to multiple Active Directory domains.

There are several ways of improving the speed of regrouping:

1. Point Encryption Management Server to domain controllers that are physically close. For example, to servers that are in the same data center.
2. Ensure that the domain controllers that the Encryption Management Server is using are not overloaded.
3. If Encryption Management Server is pointing to more than one domain controller, give each domain controller a different Priority with the fastest domain controller as priority 1. Note that the priority value is not replicated between cluster members. This allows you to customize priority for each cluster member.
4. In a clustered environment, regrouping is designed to run only on one cluster member. However, if there is considerable replication latency, it is possible that regrouping can occur simultaneously on multiple cluster members. If regrouping is occurring simultaneously on more than one cluster member, contact Technical Support for assistance in forcing regrouping to occur on only one or two cluster members.
5. Consider pointing Encryption Management Server to a dedicated domain controller. Encryption Management Server only needs read access to Active Directory so a Read-Only Domain Controller (RODC) is sufficient.
6. Consider reducing the interval between regroupings to less than 6 hours. Please contact Technical Support for assistance in changing the interval.

Often, only one or two Encryption Management Server Groups need to be synchronized more quickly than usual. To synchronize the members of a specific Encryption Management Server Group with Active Directory, do the following:

1. Click on Consumers. The Groups are displayed.
2. Click on the name of the Group you wish to synchronize.
3. Click on the Group Settings button from the bottom of the page.
4. Click on the Save button.