If a user is a member of a group or OU that scoped to more than one Management Policy then the policy which takes precedence is the first management policy listed on the Password Manager home page in the Admin site. This is normally the Default Management Policy.
However if one of the policies has either a group or an OU disabled then the members to those groups or OU's are disabled for ALL management policies.
Group1 = All users including Martians
Group2 = Martians only
Policy1 has Group1 enabled and Group2 enabled.
Policy2 has Group1 enabled and Group2 disabled.
The users in Group2 are unable to get access to the Password Manager Self-Service site nor can they be managed by the helpdesk even though they are allowed in Policy1.
Disallowed takes precedence over allowed regardless of which management policy is higher in the list.
The users in Group1 get access to the Password Manager Self-Service site and are managed by the helpdesk based on the workflows in Policy1