When importing a client list from your Active Directory server, you find that clients have two entries in your Endpoint Protection Manager. They have an entry in the Default group where they appear online, and a second entry in the expected OU group where they appear offline.
Symantec Endpoint Protection, with client running in User mode rather than Computer mode, importing group structure from an Active Directory server.
Symantec Endpoint Protection expects the sAMAccountName and UPN (User Principle Name) account properties to be the same for users. If they differ, then you will see this behavior following an AD Sync.