AD Mapping rules are scanned in top-to-bottom order on the Mappings page, and only the first match on the list is applied. You can rearrange the order of rules if you find that you would prefer a different policy assignment outcome than you are seeing.

There is a default AD Mapping rule that cannot be deleted, nor can it be moved from the bottom of the Policy Mappings rule table. It maps “[all others]”, that is, all computers that have not matched any of the other rules in the table, to the policy you choose. Because it remains at the bottom of the table, it assures that any automatically mapped computer is assigned to some policy. It is initially mapped to the Default Policy, but you can change this. Creation of an “AD Default Policy” is recommended so that computers not matching other rules have a policy that best reflects a default security level with settings you want.