Changes in Active Directory group membership are not reflected on the PGP Server immediately (Symantec Encryption Management Server).  Making some of the changes for Grouping may take some time depending on different variables at play.

If the Grouping operation is taking longer than is acceptable, please reach out to Symantec Encryption Support for guidance and we can work with you to speed up these groupings. 

Symantec Encryption Management Server 10.5 and above.

Encryption Management Server synchronizes with Active Directory every 21,600 seconds (6 hours) by default. To confirm this setting, ssh to the server and run the following command:

Note that in a clustered environment only one cluster member will perform the synchronization with Active Directory each time it runs.

If you wish to always synchronize more frequently you can edit the prefs.xml file and change the periodic-scan-interval to a lower value. For assistance making these changes, please reach out to Symantec Encryption Support and we can work with you on this operation.

EPG-24718
EPG-29401

247593 - Users not grouped properly if certificates from Active Directory are rejected (PGP Server Unable to Group Users)