Users who are no longer in Active Directory remain in Encryption Management Server. This makes the Internal User count inaccurate. If Encryption Management Server uses LDAP Synchronization with Active Directory, it also results in the Groups log in the Reporting / Logs page of the Encryption Management Server administration console containing warnings about users who cannot be found.

The Groups log contains warnings like this:

WARN   pgp/groupd[2761]:       LDAP-00000: failed to map consumer "Example User" (756056ec-7906-4560-bb08-d839c71db118) to a directory

Symantec Encryption Management Server 10.5 and above.

This is by design. Users are not deleted for two main reasons:

1. Deleting a user also deletes their encryption key.
   • For users with SKM (Server Key Mode) keys, the private key for a user can be exported from the server by an administrator and the administrator can set a passphrase at the time of export. It can therefore be used to decrypt items encrypted by a user who has left the organization. Deleting the user means that the user's key would not be available.
   • For SCKM (Server Client Key Mode) keys, all except a user's signing key can be exported from the server and again the administrator can set the passphrase.
   • For GKM (Guarded Key Mode) keys, a copy of a user's private key can be exported from the server but it will be protected with a passphrase chosen by the user. Hence, if the user has left the organization, this key will probably be of no use.
   • Note that in all cases, if you have configured an ADK (Alternate Decryption Key), it can also be used to decrypt data encrypted by users. However, since the ADK allows any user's data to be decrypted, the private key is not stored on the server. Clearly, the private ADK should be kept in a very secure location but sometimes the private ADK cannot be located. 
2. If a machine's WDRT (Whole Disk Recovery Token) is required for a user who has left the organization, it is often easier for an administrator to search for the user name rather than the machine name.

Reasons why you may wish to delete user accounts from Encryption Management Server include the following:

1. Licensing - It is easier to track how many user licenses are needed if only active users are listed in the Encryption Management Server management console.
2. Performance of the administration console - In very large environments there will be marginal performance improvements when searching for users from the administration console. However, such performance improvements will generally not, by themselves, justify the deletion of user accounts.
3. Performance when regrouping against Active Directory - When a user is deleted from Active Directory, Encryption Management Server will search Active Directory unsuccessfully for that user each time it regroups. In a large environment, searching for thousands of users that are not in Active Directory can slow down the regrouping process.
4. Backup performance - Having fewer internal users will speed up backups and result in smaller backup sizes in large environments.
5. Duplicate email addresses - Encryption Management Server treats email address as a unique identifier so it is possible to find cases where a user with email address [email protected] leaves and someone else with the same email address joins the organization. This can cause problems if the original user account is not deleted from Encryption Management Server. However, this issue should be rare and can be dealt with on a case-by-case basis.

If you wish to remove users from the PGP Encryption Server systematically, please reach out to Symantec Encryption Support for further guidance. 

ISFR-2455
EPG-23205