I've got a case logged with Symantec regarding this issue, but it seems odd, so I figured I'd toss it out here for any potential insight, but also to document the solution when its found.
I've got a fresh environment, EV 8.0.2 on Server 2008 x64 archiving against Exchange 2003 and 2007 mailbox servers. EV was having issues provisioning some of my users that I had added to the AD security group target, and it seems as though EV is not completely enumerating the users that exist in active directory. When I go to manually add a single account to the PG, that provisions fine. When I go to add that same account to the corresponding SG, no problems. Its like EV only sees ~30 of teh users that exist in AD, all in different OU's, and homed to different Exchange systems. Any users that EV cannot see, will not be provisioned when added to the AD security group.
I've DTRACE'ed and all looks fine, and no errors are reported in the event log. So far, I've tried manually setting the GC to various DC's in the directory, deleting and recreating the PG and AD groups to no avail.
If anyone has any ideas, I'd love to hear them - but ill be sure to post any updates I get from support.
Have you tried creating a new security group, with a new name, and adding the users to that group, and provisioning?
Is your forest/domain "simple" (one domain) or more complex?
What kind of security group is it?
How many people are in the security group?
Do you just have one provisioning group target at the moment?
Not sure how "clear text" LDAP queries and GC look-ups are, but it might be worth doing a netmon from the EV server, and seeing what is being sent to the GC, and what is coming back... Also from the DTRACE, you'll see the LDAP query that is being sent to the GC - what happens if you do the same/similiar query, from the EV server using LDIFDE?