Users who are no longer in Active Directory remain in Encryption Management Server. This makes the Internal User count inaccurate. It also results in the Groups log in the Reporting / Logs page of the Encryption Management Server administration console containing warnings about users who cannot be found in Active Directory.
Symantec Encryption Management Server 3.3.2 MP13 and above.
LDAP enrollment using Active Directory.
The Groups log contains warnings like this:
WARN pgp/groupd: LDAP-00000: failed to map consumer "Example User" (756056ec-7906-4560-bb08-d839c71db118) to a directory
This is by design. Users are not deleted for two main reasons:
Deleting a user also deletes their encryption key.
For users with SKM (Server Key Mode) keys, the private key for a user can be exported from the server by an administrator and the key will have no passphrase. It can therefore be used to decrypt items encrypted by the user.
For SCKM (Server Client Key Mode) keys, all except a user's signing key can be exported from the server and again there will be no passphrase.
For GKM (Guarded Key Mode) keys, a copy of a user's private key can be exported from the server but it will be protected with a passphrase chosen by the user. Hence, if the user has left the organization, this key will probably be of no use.
Note that in all cases, the ADK (Alternate Decryption Key) can also be used to decrypt data encrypted by users. However, since the ADK allows any user's data to be decrypted, the private key is not stored on the server. Clearly, the private key should be kept in a very secure location but sometimes the organization loses its record of that secure location.
If a machine's WDRT (Whole Disk Recovery Token) is required for a user who has left the organization, it is often easier for an administrator to search for the user name rather than the machine name.
Reasons why you may wish to delete user accounts from Encryption Management Server include the following:
Duplicate email addresses - Encryption Management Server treats email address as a unique identifier so it is possible to find cases where a user with email address firstname.lastname@example.org leaves and someone else with the same email address joins the organization. This can cause problems if the original user account is not deleted from Encryption Management Server. However, this issue should be reasonably rare and can be dealt with on a case-by-case basis.
Performance - Storing user keys uses a relatively high volume of space in the database. Deleting users deletes their keys and, in large environments, this can result in performance improvements.
Regrouping - When a user is deleted from Active Directory, Encryption Management Server will search unsuccessfully for that user each time it regroups. In a large environment, searching for thousands of users that are not in Active Directory can slow down the regrouping process.
Licensing - It is easier to track how many user licenses are needed if only active users are listed in the Encryption Management Server management console.
Drive encryption of the C drive does not use encryption keys. Therefore, if a WDRT is needed for a machine whose primary user has been deleted, provided administrators are willing to search by computer name, it is perfectly reasonable to delete drive encryption users who have left the organization.
For users who encrypt data to their key, more careful consideration will be required. Note that removable drives can be encrypted to a key.
If you feel that mass removal of users is needed, contact Technical Support and ask about the pgpusermanager script, and at that point it will be determined if the script is a good match for the scenario.
This script can delete all users who:
Cannot be found in Active Directory
and / or
Have not contacted the server for N months.
Subscribing will provide email updates when this Article is updated. Login is required.