Encryption Management Server matches an unexpected Active Directory user during regrouping of consumers in multiple domains
Last Updated February 15, 2018
Encryption Management Server may match an unexpected Active Directory user during periodic regrouping of consumers when Encryption Management Server Directory Synchronization is pointed at multiple Active Directory domains and multiple Active Directory objects have the same email address.
Encryption Management Server 3.3 and above.
Directory Synchronization pointing to multiple Active Directory domains.
Multiple Active Directory objects have the same email address.
Encryption Management Server will attempt to find users based on email address once other search methods have failed. When searching by email address, Encryption Management Server searches on email addresses sorted in ascending order rather than searching first on the primary email address.
Try to avoid giving users in different domains the same email address.
For example, Directory Synchronization is pointing to two Active Directory domains which it searches in order:
Domain1 contains a user with the following email address:
Domain2 contains a user with the following email addresses:
email@example.com - this is the primary email address
When an email from firstname.lastname@example.org passes through Encryption Management Server for the first time, the user in Domain2 will be matched and an internal user record created. The internal user record will be associated with all three email addresses.
If the user in Domain2 is moved to an Active Directory container that is outside of the search scope used by Directory Synchronization then the next time Encryption Management Server regroups against Active Directory, the following will occur:
Regrouping will be unable to find the user in the user's previous Active Directory container.
Regrouping will search by ObjectGUID. Since the user is outside of the search scope it will not be found.
Regrouping will search by email address. Because email addresses are sorted in ascending order before being searched, the first email address to be searched will be email@example.com, not the primary email address of firstname.lastname@example.org.
The user in Domain1 will be matched.
The user will be placed in an Encryption Management Server group and policy depending on the Active Directory security groups that the user in Domain1 is a member of.
The user will be associated only with the email address email@example.com.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe