Users who are no longer in Active Directory remain in Encryption Management Server. This makes the Internal User count inaccurate. If Encryption Management Server uses LDAP Synchronization with Active Directory, it also results in the Groups log in the Reporting / Logs page of the Encryption Management Server administration console containing warnings about users who cannot be found.
The Groups log contains warnings like this:
WARN pgp/groupd: LDAP-00000: failed to map consumer "Example User" (756056ec-7906-4560-bb08-d839c71db118) to a directory
Symantec Encryption Management Server 10.5 and above.
This is by design. Users are not deleted for two main reasons:
Reasons why you may wish to delete user accounts from Encryption Management Server include the following:
Drive encryption of the C drive does not use PGP keys. Therefore, if a WDRT is needed for a machine whose primary user has been deleted, provided administrators are willing to search by computer name, it is perfectly reasonable to delete drive encryption users who have left the organization.
For users who encrypt data to their key, more careful consideration will be required. Note that removable drives can be encrypted to a key.
Broadcom can supply a script to generate a report of inactive users and, optionally, delete inactive users. The script can delete all users who:
and / or
In order to obtain the script, please open a support case.
If you wish only to generate a report, download the file 1631294282085__report_users_not_seen.tar.gz from this article and do the following:
tar xfvz 1631294282085__report_users_not_seen.tar.gz
./report_users_not_seen.sh 12 1
./report_users_not_seen.sh 12 0