There is no difference in how AD sync behaves for different license types.
It sounds like this user belongs to both the more privileged group and the lower privileged group?
The licensing concern (read only license) and repository security (e.g., access to a folder or ability to delete entries) are two separate portions to address so that the user has the access level you expect.
For the licensing, there are two main possibilities:
- Your system does not have enough licenses to fulfill the current set of rules. When that is the case, no changes will be made to any user licenses. There should be errors in the Directory Server administration site and in the event viewer, and you can also view your existing allocations to see how many licenses you have remaining
- Your group synchronization rule order does not match your desired behavior
For the second case, you may need to re-order your rules for synchronization. The rules are evaluated in order, top to bottom, so if the group rule that grants this user a full license comes after the group rule that grants a read-only license, the user will still end up with a full license. The highest priority license rule should be at the bottom of the list.
The help files have an example:
For each registered domain controller, Directory Server processes synchronization rules sequentially from top to bottom in the order that the rules are listed on the Directory Server administration site. For example:
- You have two Windows groups: QA and Engineering.
- The QA group contains 1 user: John.
- The Engineering group contains 2 users: Jane and John (same John as the one in the QA group).
- You add a synchronization rule that assigns full named user licenses to the QA group.
- you add a second synchronization rule below the rule in step 4 that assigns retrieval named user licenses to the Engineering group.
- Because the rule added in step 5 is the last rule that Directory Server will process, both Jane and John will end up with retrieval named user licens
Note: for advanced troubleshooting, you can use the Claims Test page after logging in to verify the group membership for the user.
For the repository security, we would need more information to help troubleshoot. There are some good resources on the help page for effective permissions: https://go.laserfiche.com/support/webhelp/Laserfiche/10/en-us/administration/#../Subsystems/LFAdmin/Content/Effective_Permissions.htm