Encryption Management Server may match an unexpected Active Directory user during periodic regrouping of consumers when Encryption Management Server Directory Synchronization is pointed at multiple Active Directory domains and multiple Active Directory objects have the same email address.
Encryption Management Server will attempt to find users based on email address once other search methods have failed.
When searching by email address, Encryption Management Server searches on email addresses sorted in ascending order rather than searching first on the primary email address.
Avoid giving users in different domains the same email address.
For example, Directory Synchronization is pointing to two Active Directory domains which it searches in order:
Domain1 contains a user with the following email address:
Domain2 contains a user with the following email addresses:
When an email from [email protected] passes through Encryption Management Server for the first time, the user in Domain2 will be matched and an internal user record created. The internal user record will be associated with all three email addresses.
If the user in Domain2 is moved to an Active Directory container that is outside of the search scope used by Directory Synchronization then the next time Encryption Management Server regroups against Active Directory, the following will occur: