The PGP Encryption Server (Symantec Encryption Management Server) users are automatically moved from their previous group to the Everyone group.
However, the users are still members of an Active Directory security group that should result in them being matched to a specific Encryption Management Server group.

In the admin console, under Reporting / Logs the Groups log will show this warning for each of the affected users where username is the user name:
LDAP-00000: could not locate consumer "username" (ec90231f-2370-43b3-a09b-6e3aa3ead8c3) at the previously discovered DN; searching LDAP directories

• PGP Encryption Server 10.5 and above.
• Directory Synchronization pointing to Active Directory.
• Group membership being assigned by matching Active Directory security group membership.

Each user that is affected cannot be found in any of the LDAP Directories that the PGP Encryption Server points to.

Clearly, because the user was previously a member of an a PGP Server group, at one time the user was able to be found in Active Directory.

Periodically, The PGP Encryption Server runs a regrouping task that checks users can be found at the location specified by their LDAP DN (Distinguished Name).
The Distinguished Name is one of the attributes stored for each user in the PGP Encryption Server database. This attribute is initially set at enrollment time and subsequently during periodic regrouping.

If a user cannot be found at the previously discovered Distinguished Name location, the PGP Server will search for them in Active Directory.

Users who cannot be found in Active Directory will be assigned to the Everyone group.

Check whether the user can be found in Active Directory by using the validate_enroll.sh script attached to article 161719.

If the user cannot be found using this script, the PGP Encryption Server will not find them when the regrouping task is run and therefore it will move them to the Everyone group.

The most likely explanation as to why a user cannot be found is that they are not within a Base DN (Distinguished Name) that is searched by the PGP Server.

The Base DNs that are searched are listed in the The PGP Encryption Server admin console under Consumers / Directory Synchronization / Directory_Name / Base Distinguished Names where Directory_Name is the name of the LDAP Directory.

To resolve the issue, do one of the following:

1. Move the user to an Active Directory Base DN that is within scope. This will require appropriate permissions in Active Directory.
2. Add the Base DN containing the user to Encryption Management Server.

When either of these actions has been performed, run the validate_enroll.sh script to ensure that the user can be found. If the script cannot find the user, neither will periodic regrouping.