When directory service integration is configured on Workspace ONE UEM, directory service accounts inherit enrollment settings from the organization group (OG) from which the directory service is configured. Basic accounts, however, abide by local settings including overrides.

The diagram shows a simple organization group model of a parent and a child OG.

Taking the above organization group model as an example, assume the option Enterprise Wipe devices of users that are removed from configured groups is enabled on the OG named 'Customer'.

Given this scenario, directory enrollment users in the Sales01 child OG who leave a configured group see their devices wiped despite the enrollment restriction override configured in that OG. This is true even if those accounts have devices enrolled on a different OG because enrollment settings are user-centric, not device centric.

However, in this same scenario, devices belonging to basic enrollment users of Sales01 OG who leave a configured group are not wiped. This is because basic enrollment users in Sales01 are not a part of the directory service-integrated OG and therefore recognize and abide by the enrollment restriction override.