Symantec Endpoint Encryption (SEE):
When adding AD Security Groups to server roles, you may find that only the top level users within the group are getting permissions to the associated role. This is a limitation of the product at this time, as nested groups are not supported.
This means that if you have placed other security groups within a top level security group, the members of the nested groups will not be included in the server role.
This issue is resolved in Symantec Endpoint Encryption 11.2.0 and above.
All versions before 11.2.0 will have this limitation as stated in our documentation:
All users should be added in a top level group with no nested security groups inside.
Currently this is documented in the Online Help (?) for SEE:
In Active Directory, you can create server administrator groups, and then use the Configuration Manager to assign group-based roles. You can create groups of server administrators who require similar administrative access permissions, then assign the appropriate server roles to each group.