Encryption Management Server can assign users to groups using Directory Synchronization. One of the most frequently used options is to match users against membership of a specific Active Directory Security group using the memberOf attribute:
However, unexpected results occur if the Match disabled Active Directory users and the If any of the following apply options are combined:
If these two options are combined, not only are the users in a specific Active Directory security group matched but in addition, all disabled Active Directory users are matched, no matter what Active Directory security group they are in.
Do not combine these options:
Disabled Active Directory users will be matched without the Match disabled Active Directory users option being selected.