your script is the obvious target for investigation - does it create any logs?
The Connector Manager would do that based on group mapping rules, but if you're using your own script to do that task you need to look there.
I am using the Connector Manager and when the log file is examined the section for the user states as follows.
01/06/2011 11:32:54 Checking Endpoint Encryption User Person_A
01/06/2011 11:32:54 ...Logon hours updated
01/06/2011 11:32:55 ...moving user from Users - Active group to User Default group
there seems to be nothing different to this users profile on the AD or within Endpoint to suggest why the script would move her and this seems to be the only user having this issue.
Do you have any ideas or a course of action ?
it's due to the group mappings you have set up - something in that user is causing it to get mapped to that group.
I would look at the user with LDAPBrowser, and compare their attributes to the rules you've set in the group mappings - maybe there's a typo in their AD record or something. These things are usually quite obvious when you get to the real facts of the matter.
It appears the the issue is to do with the AD connector this was not used in the previos version of the setup. Before when the encryption was deployed it checked the user logging on a script ran locally on the computer and added it to the EEM. I have noticed now that the users being added using the AD connector have different bindings and these are the users that move when the AD Connector Sync's.
Old Script added users have.
SBADCON1.att - objectGUID, SBADCON1.val - USERID, SBADCON1.username - USERID.
The AD Connector added users have
SBADCON0.changes - NUM, SBADCON0.username - USERID.
Any Advice ?
the connector is doing what its configuration tells it to do - but, that connector won't touch users created with your script (they are set to use a different connector instance).
so, again, the users move because the connector group mappings tell them to be somewhere they are not - you I guess are moving them back, and then the connector is putting them back where it's been told to put them.
So, you need to edit the group mappings to make the users go where you want them to be.