If a Registered LDAP Server points to a child domain with Global Catalog enabled, users from across the entire domain forest can be added, and not just those users that exist in the specific child domain.
When the Global Catalog option is disabled, ePO no longer has access to the Global Catalog. ePO can now only query users that exist in the child domain to which the Registered Server points. When this event occurs, users that aren't members of that specific child domain can't be found. The ePO server assumes that these users have been deleted from Active Directory (AD). The associated Endpoint Encryption Users are deleted from the ePO database.
Background Information
DE users are created in the ePO database based on user information that's imported from AD. The connector on the ePO server that contains the configuration for this connection between ePO and AD is called a Registered Server. An associated Drive Encryption LDAP Sync server task is also configured. The sync task contains all settings around what's imported and how frequently.
When a user is imported from AD, a preboot user account is generated in the ePO database. The user settings are made in the associated LDAP Sync Task. If a user is deleted, or disabled in AD, the user is deleted or disabled in the ePO database. The action on the ePO database is seen when the Server Task runs on the ePO Server.
One of the Registered Server configuration options is the Global Catalog setting. When enabled, this setting allows the connector to connect to a single domain controller, and access the Global Catalog. The Global Catalog contains a list of the following:
- All users
- All systems
- Groups for the local domain, parent domain, and other child domains