When I select the refresh LDAP button in Users:Manage Groups, the synchronization fails by showing

Message error 2011 (user is not updated)

or  that a user was moved to another user. 

This is failing for users that start with the same name before a comma in the Distinguished Name in the AD, for e.g.:

CN=Smith\, John,OU=Users,DC=ca,DC=com

CN=Smith\, Michael,OU=Users,DC=ca,DC=com

If these users are already imported upon refresh in PAM the update failure error is seen.

This is causing that some users that are member of a group in AD are not imported in PAM.

Following the example, 

If user CN=Smith\, John,OU=Users,DC=ca,DC=com is member of CN=Windows Admin,OU=Users,DC=ca,DC=com and  user CN=Smith\, Michael,OU=Users,DC=ca,DC=com is member of CN=Linux Admin,OU=Users,DC=ca,DC=com.

If I select to refresh the LDAP in PAM, then probably the system might delete or add a user for eg the user CN=Smith\, John,OU=Users,DC=ca,DC=com to the group CN=Linux Admin,OU=Users,DC=ca,DC=com in PAM and remove it from CN=Windows Admin,OU=Users,DC=ca,DC=com.

However if I check on the AD, the users are in the expected groups.

Issue is appearing for users with commas in the CN name while the accounts are similar.

A patch has been created to fix this issue. You find the fix for download on the PAM support page:

https://www.ca.com/us/services-support/ca-support/ca-support-online/product-content/recommended-reading/technical-document-index/ca-privileged-access-manager-solutions-patches.html

Release 2.7: CAPAM_2.7.0.07.p.zip

Release 2.8: CAPAM_2.8.1.p.zip