After periodic regrouping of Encryption Management Server internal users against Active Directory, internal users are unexpectedly moved from their original Consumer Policy into the Default one.

This will only usually occur when Directory Synchronization is pointing to multiple Active Directory domains.

Encryption Management Server cannot find the Active Directory User record for the internal user and instead matches an Active Directory Contact record or an Active Directory Distribution Group record that has the same email address as the User during periodic regrouping. This results in the internal user being moved from their original Policy to the Default Policy.

An Active Directory Contact or Distribution Group cannot enroll to Encryption Management Server using Encryption Desktop. However, during periodic regrouping, if an Active Directory User record cannot be found by the regrouping process, Encryption Management Server will match a Contact or Distribution Group record that has the same email address as the User record in a lower priority Active Directory domain 

Reasons why an Active Directory User may not be found include the following:

• The Active Directory User was deleted.
• The Active Directory User was moved to an Active Directory container that is outside the Encryption Management Server search scope.

• Encryption Management Server 3.3 and above
• Directory Synchronization pointing to multiple Active Directory domains

There are several possible solutions to this issue:

1. Ensure that Active Directory Contact and Distribution Group records are placed in distinct Active Directory containers (Organization Units). Then configure Directory Synchronization not to include those containers in the list of Base DNs that are searched. In other words, ensure Contact and Distribution Group records are outside the search scope.
2. Do not give Active Directory Contacts or Distribution Groups the same email address as Active Directory Users. Clearly, Active Directory does not permit this to be done within a single domain but it is possible to do this if multiple Active Directory domains are in use. Even within the same domain, it is possible to delete an Active Directory User and then give an Active Directory Contact or Distribution Group the same email address as the deleted user.
3. Configure Directory Synchronization to search only for Active Directory Users using a process called LDAP Customization. Please contact Symantec Technical Support for assistance in configuring LDAP Customization.