Encryption Management Server users are moved unexpectedly into a different Policy Group than the one they were automatically put into at enrollment.
This occurs even though there has been no change to the Active Directory Security Groups of the users.
When a user enrolls to Encryption Management Server, Active Directory is searched according to the configuration under Consumers / Directory Synchronization.
If more than one Active Directory domain is specified, the domains will be searched in order. Within each domain, if more than one Base Distinguished Name is specified, the Base Distinguished Names will also be searched in order.
The user can be assigned to an Encryption Management Server Policy Group according to their membership of Active Directory Security Groups.
By default, every 6 hours, Encryption Management Server regroups the users. This involves checking that the users are still in the same container within Active Directory and checking which Active Directory Security Groups they are members of.
If an Active Directory user has sufficient of their attributes changed, Encryption Management Server regrouping will not be able to find them in their original domain. The regrouping process will then search lower priority domains and may match a user in one of these domains.
The newly matched user may belong to different Active Directory Security Groups and therefore be moved into a different Encryption Management Server Policy Group.
Upgrade to Encryption Management Server 3.4.1 MP2 or above.
In releases prior to 3.4.1 MP2, the Encryption Management Server regrouping process did not search correctly on Active Directory objectGUID.
The objectGUID is unique for each user. If a user is moved into another Active Directory container within the same domain, the objectGUID remains the same. No matter how many other user attributes such as email address are modified, the objectGUID does not change.
In a complex environment such as when Encryption Management Server Directory Synchronization is searching more than one domain, it is essential that the Encryption Management Server regrouping process can search correctly on objectGUID.