So to clarify, do you get the enrollment prompt, and then the user fails to enroll, or is no prompt coming up to enroll the user? Does it instead ask if you would like PGP enabled from this account, then ask you to license the product? When you download the client fom the Groups page on the server, be sure to check the box to customize the installer, and match users automatically.
When testing your Bind DN, make sure to click on View Sample Records in the bottom left. Any results at all mean that your connection and AD sync sould be good.
Does your end user account have an email address in AD, that is also in the managed domain for the server? That can cause a user to fail to enroll.
Descibe exactly what happens on the client system when you log the user on.