We don't change user accesses within the Universal Server itself, but from an external directory that is linked to the Universal Server. That being said, you can try the following steps, which work for us on v. 2.9 / 9.9 with the majority of our users in GKM mode.
Caveat: PGP is not in our mailstream.
Caveat 2: If you are removing these users from WDE completely, I might tend to decrypt the device first before changing the policy or performing the steps below.
On each desktop where the client is installed:
1. Stop PGPTray.exe.
2. Delete Pgpprefs.xml from the user's APPDATA\PGP Corporation\ PGP folder.
3. Launch PGPDesktop from Start. Respond 'yes' to any prompt regarding 'starting services'.
4. The user will be prompted to re-enroll, but his or her old key should be identified and left viable on the server.
5. After enrollment, the new policy should take effect but the old keys should remain.
Good Luck!