In the VPM you have rule referencing the Domain Users group (or any other "Primary Group") but the rule is not matching when using LDAP.
Note: This also affects Windows SSO realms using LDAP for authorization.
LDAP does not reveal the membership in the primary groups.
The memberOF attribute never reveals primary group memberships.
You must create a rule based on the primaryGroupID.
In the VPM, add the following rule:
Run a policy trace and you will now see this rule is now being matched.