The "Match disabled Active Directory users" option in Encryption Management Server matches users from all Active Directory security groups