Three items are required to enable PolicyServer AD synchronization:
A configured AD domain.
A PolicyServer group configured to point to one or more valid AD organizational units (OUs).
Appropriate credentials to access the AD domain that match the PolicyServer group's distinguished name.
When configured properly, synchronization automatically creates new PolicyServer users and moves them to the appropriate paired groups on PolicyServer. During synchronization, PolicyServer is updated to reflect current users and group assignments for paired groups.
Adding a new user to the domain and placing that user in an organizational unit will flag that user so that during the next synchronization, AD will create that user in PolicyServer and then move that user into the appropriate paired PolicyServer group.
Deleting a user from AD will automatically remove that user from a PolicyServer paired group and from the enterprise.
To add non-domain users to groups that are synchronized with the domain, you can create unique Endpoint Encryption users and add them to paired PolicyServer groups without having those users modified by the synchronization system.
If you remove the Endpoint Encryption user from a paired group in PolicyServer, that domain user will not automatically be re-added by the synchronization system. This prevents overriding the your action for this Endpoint Encryption user. If you manually move a synchronized domain user back into a paired group then the synchronization system will again begin to automatically maintain the user in the group.