How disabling/deleting a user in Active Directory affects the Drive Encryption user

Every user account has an objectGUID in LDAP. If a user account is deleted from LDAP and another is created with the same user name, this new user account is a different entity. This is because the new user has a different objectGUID.

How to delete a user in LDAP

You must first delete the user in LDAP, then run the LdapSync: Sync across users from LDAP task and send an Agent wake-up call. The user disappears from DE Users list after the LdapSync: Sync across users from LDAP task is complete.

The McAfee ePO Server Settings option If user is disabled in LDAP server within Configuration | Server Settings | Drive Encryption | General | Edit can be configured to disable, delete, or ignore the user if the user has been disabled in the LDAP Server. The default setting is Disable.

What if a user is disabled from LDAP?

If a user account is initialized on the client system and is later disabled from LDAP, it is automatically disabled or deleted from the client or ignored when the next LdapSync: Sync across users from LDAP task runs. To authenticate through the client PBA with a disabled or deleted LDAP user name, you should set the policy to ignore or again enable this user in the LDAP, then initialize the same user name on the client with the default password.

This does not remove the user from the DE Users list in ePolicy Orchestrator, however, it removes the users from the client system based on the option set in the Server Settings.

Is it possible to just disable the Drive Encryption user when removed from LDAP?

It is not possible to disable a Drive Encryption user when it has been removed from LDAP. The deleted user is removed from the DE Users list in LDAP during the next LdapSync: Sync across users from LDAP task.

What if the Drive Encryption user assignment is deleted/removed?

If the Drive Encryption user assignment is deleted from a system, the user might still be assigned back to the client system if the Add local domain users option is enabled in the Product Settings Policy. For this to work, the user must have logged on to Windows at least once and the domain to which client system is connected should have been registered in ePolicy Orchestrator. You can also manually add users using the Menu | Data Protection | Encryption users | Add Users option in ePolicy Orchestrator.