AD Mapping rules are scanned in top-to-bottom order on the Mappings page, and only the first match on the list is applied. You can rearrange the order of rules if you prefer a different policy assignment outcome than you are seeing.

There is a default AD Mapping rule that cannot be deleted, nor can it be moved from the bottom of the Policy Mappings Rule table. It maps “[all others]”, that is, all endpoints that have not matched any of the other rules in the table, to the policy you select. Because it remains at the bottom of the table, it assures that any automatically mapped endpoint is assigned to some policy. It is initially mapped to the Default Policy, but you can change this. Creation of an “AD Default Policy” is recommended so that endpoints not matching other rules have a policy that best reflects a default security level that has your preferred settings.