Disabling shadowing for a specific user account not possible when it is enabled for 'Everyone' or any other universal group, the target user account belongs to
DESCRIPTIONIt is not possible to disable shadowing for a specific user account if the user belongs to a group, shadowing is enabled for (e.g., universal groups like Everyone, Domain Users, Administrators).
COMMENTSThe described behaviour corresponds to the current DeviceLock logic when only explicit restrictions take priority over permissions.
Since disabling the 'Shadowing' flag for a specific user account does not come to be an explicit restriction, shadowing rule for Everyone (or other universal group) overrides shadowing-disabled rule for the user account belonging to the group.
RECOMMENDATIONSWe recommend to avoid enabling shadowing for universal groups such as Everyone or Domain Users in current version (7.1.x) if it needs to be enabled for certain user accounts only.
*User-based shadowing rules working disregarding group membership are considered for the version 7.2.