File Share Encryption

I have HR OU containing HR employees in Active Directory running on Windows Server 2008 R2.

In Symantec Encryption Management Server 3.3.2 , i have created a group by the name of HR and under Membership tab i have checked "Match Consumers Via Directory Synchronization". Below are furher settings in it:

Attribute:memberOf                Value:OU=HR,DC=contoso,DC=com

Now when an HR user logs onto his computer on which Symantec Encryption Desktop is installed and tries to enroll, he is placed in default Everyone group rather than HR group. Why is this happening? Can anyone help me out?

Hi,

Please refer to this KB.

https://support.symantec.com/en_US/article.HOWTO42093.html

Below is the correct value.

Attribute: distinguishedName
Value: ^.+,OU=OrgUnit,DC=pgptest,DC=dom$

Please check these steps:
1. First of all, ensure that Directory Synchronization is enabled. Go to Symantec Encryption Management Server (SEMS) console > Consumers > Directory Synchronization and ensure you see "Directory Synchronization is enabled".
2. Then verify if you have configured LDAP Directories (you should see at least one in the same place as above)
3. If LDAP Directories is configured, click on it. Then under LDAP Servers you can click button "Test Connection". You should see "successful" if everything is configured correctly. Next, you can click on "View Sample Records" to see if you are able to list some entries from Active Directory
In the next tab - "Base Distinguished Names" - ensure that you have the path to Base DN. Within this path you should have the required OU (so it should be "OU=HR,DC=contoso,DC=com" or higher OU).
4. Once LDAP is configured correctly, click on "Settings" (still the same place as in step 1) and ensure that "Enroll clients using directory authentication" is enabled
5. The last thing is described by you is "Consumers > Groups > Membership", but this you seems to have configured properly.

I would suggest creating the group through the Keys tab, clicking the Generate AD Group Keys button.  It will allow you to browse through your direectory via LDAP and select the group you want.  This pulls the memberOf value for you.  It also adds the AD GUID of the group, creates the group, and generates a group key.  There is much less room for error doing it this way, plus you get a group key generated automatically if you are using FileShare.  If you aren't using FileShare, then the key doesn't really matter, but the group will still be set up appropriately.

I always recommend using this method to avoid typos, extra white space, or other errors.  If you can't browse to the OU in the LDAP browser, it can also help identify where an actual problem lies.

Thanks guys for your valuable recommendations and help. I have tried all three above suggestions however unfortunately the probelm still remains. Anymore suggestion from you will be appreciated.

Can it be just that Symantec Encryption Management Server doesn't work with OUs at all and only with groups? Have you guys ever tested with OUs before?

Symantec Encryption Management Server (SEMS) is working fine with OU. It should be something in the configuration which goes wrong.

When creating the installation package of Symantec Encryption Desktop (SED) - an .msi file - did you customize it? If not, please do the following:

1. In "Consumers > Groups" click the "Download Client..." button below the list of groups

2. Select desired Client, Platform and Language and enable "Customize" option. Leave the "Auto-detect Policy Group" enabled:

If you follow my previous suggestions along with this new client package, you will find users belonging to the correct group after enrollment.