search cancel

Encryption Management Server fails to assign users to the correct Consumer Group


Article ID: 174620


Updated On:


Encryption Management Server Gateway Email Encryption


Encryption Management Server is assigning Active Directory users to Consumer Groups using Directory Synchronization. Specifically it is using the memberOf attribute to check whether users are members of specific Active Directory security groups. For example:

  • Attribute: memberOf
  • Value: CN=Email Encryption,CN=Users,DC=example,DC=com

However, members of the Active Directory security group are not added to the Encryption Management Server group.

In Encryption Management Server 3.4.2 MP4 and above, the memberOf values from Group Settings are written to the Groups log, but only in debug mode. For example, the entry below shows a memberOf value failing to match because of a leading space:

memberOf=CN=Email Encryption,CN=Users,DC=example,DC=com skipped, exact value doesn't match with memberOf= CN=Email Encryption,CN=Users,DC=example,DC=com


  • Symantec Encryption Management Server 3.3.2 MP13 and above.
  • Windows Server 2012 and above running Active Directory.


The text in the Value field contains one or more spaces.

One or more spaces in certain positions within the Value field will cause regrouping to fail. This can include leading or trailing spaces and spaces preceding or following a comma. Spaces within the name of the container itself do not cause a problem. For example, all these value strings will cause regrouping to fail:

  •  CN=Email Encryption,CN=Users,DC=example,DC=com
  • CN =Email Encryption,CN=Users,DC=example,DC=com
  • CN= Email Encryption,CN=Users,DC=example,DC=com
  • CN=Email Encryption ,CN=Users,DC=example,DC=com
  • CN=Email Encryption, CN=Users,DC=example,DC=com
  • CN=Email Encryption,CN=Users,DC=example,DC=com 


Remove all spaces from Value fields that use the memberOf Attribute, except for spaces within the container names.