User is assigned to the wrong policy during or after enrollment

Article:TECH149305  |  Created: 2009-03-04  |  Updated: 2011-06-30  |  Article URL
Article Type
Technical Solution



This article details areas to check when a user is placed in the wrong policy either during or after enrollment with a PGP Universal Server.



A user may be placed in the wrong policy due to a variety of reasons, these can include changes to the internal users policy, Directory Synchronization settings, user LDAP attributes, and changes to a user's LDAP or Active Directory account. Use the steps below to assist in troubleshooting the issue.

1. The first area to check when a user is not in the correct policy is the PGP Universal Server logs. The Client logs on the server can assist in troubleshooting why a user was moved or placed in a specific policy.

You can view the logs for the client by clicking the Reporting card, then click Logs. In the System Logs, you can view the Client logs by clicking the down arrow next to Log: and selecting Client.

2. Check for any changes to the LDAP settings for custom Internal User policies. Changes to the LDAP attributes for a custom policy can affect which policy a user is placed in. If users were previously placed in the correct policy, any change to the user's LDAP account settings or changes to the policy attributes may cause the user to be moved to the Internal Users: Default policy or the External Users: Default policy.

Users will be placed in External Users if Directory Services for the Internal User: Default policy is configured to exclude non-matching user.

3. Confirm the user's LDAP attributes. To inspect the LDAP attributes for a user, run the gpresult command from the command prompt on the user's system. The results of the command will help in confirming if the user's attributes match the attributes for the policy on the PGP Universal Server.

4. Confirm if the configuration for Directory Synchronization is correct. Check for any incorrect information in the Hostname, Base DN, and Bind DN fields.

To confirm the Directory Synchronization settings, access the PGP Universal Server administrative interface, click the Policy card, then click Internal User Policy and select the Directory Synchronization button.


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices