File Share Encryption

 View Only
  • 1.  Directory Synchronization enabled removed user won't show back up in Internal Users listing

    Posted Sep 18, 2017 10:23 AM

    Hello,

          A user was removed from the encryption server which has directory synchronization setup and working.  The Active Directory information on the user has not changed (same sAMAccountName and group assignments) but is not showing back up in the user listing and cannot be added as a pass-phrase user in desktop encryption.  I checked my LDAP connection and everything is working as needed.  The user is a member of the base DN and is in the correct security groups to be assigned to a group on the encryption server.  Is there something I am missing?

     

    Thanks

    Sean



  • 2.  RE: Directory Synchronization enabled removed user won't show back up in Internal Users listing

    Posted Sep 18, 2017 11:51 AM

    Has the user received a prompt to re-enroll?  If not, stop PGP services and rename the %AppData%\PGP Corporation\PGP folder.  Then start PGP Services, and they should be asked to enroll.
    https://support.symantec.com/en_US/article.HOWTO42029.html

     



  • 3.  RE: Directory Synchronization enabled removed user won't show back up in Internal Users listing

    Posted Sep 18, 2017 11:52 AM

    Correction on my above post.  I can add the user as a passphrase user on desktop encryptoin but I cannot enroll the user using the dekstop application when prompted on login.



  • 4.  RE: Directory Synchronization enabled removed user won't show back up in Internal Users listing

    Posted Sep 18, 2017 02:26 PM

    Mike,

         Thanks for the help.  I attempted the steps from the post and I get the Encryption Desktop Setup Assistant app when the user logs in.  I have the user input their AD password and it attempts to encrypt the hard drive but a dialog box pops up with Could not start disk encryption err: -11286.  Then nothing else happens.

     

    Sean



  • 5.  RE: Directory Synchronization enabled removed user won't show back up in Internal Users listing

    Posted Oct 09, 2017 01:21 PM

    11286 is an authorization failure.  It is fairly vague, but somewhere in the process it is not seeing the user as valid.  Try the following:
    1. Create a test profile on SEMS with a test AD group as users.
    2. Remove the user in AD from the current group and place them in the test group.
    3. See if user is prompted to enroll, and if drive encryption proceeds.
    4. Move user back to original AD group.

    The user may have some data which remains in the database showing that either they were removed manually or that they were already a member of that group.  The above would hopefully prompt the system to change the database information for that user.