Encryption Management Server users are automatically moved from their previous group to the Everyone group. However, the users are still members of an Active Directory security group that should result in them being matched to a specific Encryption Management Server group.
Encryption Management Server 3.3 and above.
Directory Synchronization pointing to Active Directory.
Group membership being assigned by matching Active Directory security group membership.
In the admin console, under Reporting / Logs the Groups log will show this warning for each of the affected users where username is the user name: LDAP-00000: could not locate consumer "username" (eb90251f-2270-45b4-a09b-6e4aa4ead8c4) at the previously discovered DN; searching LDAP directories
Each user that is affected cannot be found in any of the LDAP Directories that Encryption Management Server points to.
Clearly, because the user was previously a member of an Encryption Management Server group, at one time the user was able to be found in Active Directory.
Periodically, Encryption Management Server runs a regrouping task that checks users can be found at the location specified by their LDAP DN (Distinguished Name). The Distinguished Name is one of the attributes stored for each user in the Encryption Management Server database. This attribute is initially set at enrollment time and subsequently during periodic regrouping.
If a user cannot be found at the previously discovered Distinguished Name location, Encryption Management Server will search for them in Active Directory.
Users who cannot be found in Active Directory will be assigned to the Everyone group.
Check whether the user can be found in Active Directory by using the validate_enroll.sh script attached to article TECH228315.
If the user cannot be found using this script, Encryption Management Server will not find them when the regrouping task is run and therefore it will move them to the Everyone group.
The most likely explanation as to why a user cannot be found is that they are not within a Base DN (Distinguished Name) that is searched by Encryption Management Server.
The Base DNs that are searched are listed in the Encryption Management Server admin console under Consumers / Directory Synchronization / Directory_Name / Base Distinguished Names where Directory_Name is the name of the LDAP Directory.
To resolve the issue, do one of the following:
Move the user to an Active Directory Base DN that is within scope. This will require appropriate permissions in Active Directory.
Add the Base DN containing the user to Encryption Management Server.
When either of these actions has been performed, run the validate_enroll.sh script to ensure that the user can be found. If the script cannot find the user, neither will periodic regrouping.
Subscribing will provide email updates when this Article is updated. Login is required.