When you configure an Agent group and add custom agent attributes in Symantec Data Loss Prevention (DLP), the agents are not joining that group as expected.
The custom agent attributes are based upon User Domain - Active Directory (AD) departments.
The Agent Attributes are configured in "System > Agents > Agent Groups > Create New Agent Attribute".
The custom agent attributes, multiple, are then added to an Agent Group.
The agent configuration assigned to the Agent Group is then updated.

The agents assigned to that agent configuration do not populate the agent group as expected.
Only the users in the first agent attribute on the list, line separated, are imported into that agent group.
The users in the other agent attributes remain in the default agent group.

The LDAP sync works fine.
You can confirm this by checking the agents to see if the logged in user is associated with the correct AD department.

Release: 15.x

Component: Enforce

Originally that agent attributes were added by copying and pasting the AD group list from Notepad.
It appears that Notepad put some extra characters that caused the AD group list to fail.

Manually adding the AD group custom agent attributes to the Agent Group one at a time resolved the issue.

Using a true text editor instead of Notepad may also work as it should not add any extra characters.