After periodic regrouping of Encryption Management Server internal users against Active Directory, internal users are unexpectedly moved from their original Consumer Policy into the Default one.
This will only usually occur when Directory Synchronization is pointing to multiple Active Directory domains.
Encryption Management Server cannot find the Active Directory User record for the internal user and instead matches an Active Directory Contact record or an Active Directory Distribution Group record that has the same email address as the User during periodic regrouping. This results in the internal user being moved from their original Policy to the Default Policy.
An Active Directory Contact or Distribution Group cannot enroll to Encryption Management Server using Encryption Desktop. However, during periodic regrouping, if an Active Directory User record cannot be found by the regrouping process, Encryption Management Server will match a Contact or Distribution Group record that has the same email address as the User record in a lower priority Active Directory domain
Reasons why an Active Directory User may not be found include the following:
There are several possible solutions to this issue: