Yes AD connectors  are deployed and its functional also. But i have observed policy are getting applied using identity Roaming client and not AD user

1. Is it happening with the DNS policy, WEB policy or both? is this user the only one not being matched or all? was it working fine before?

2. Let's perform the following test: open the Policy tester and add as Identity the user and a domain that should be blocked, is the policy being matched the expected one?
3. Another test would be: to create a dummy DNS/WEB policy to match only that user and place it on top of the rack, adding a domain to be blocked. The takeaway of this test would be to see if there is any issue with that user/AD integration

1) It happening for both. And i believe Web policy first track User machine to match a policy. PFA snapshot and correct me if im wrong.

2) Tried but unless i add the user machine hostname policy doesnt work as expected.

3) Will do this and let you know.

Since this is happening with both DNS and WEB policies, let's focus on DNS, since it would be the first policy being enforced.

You are right, the AD user would be the first identity to be matched, both in DNS and WEB:
- Policy Precedence for DNS: https://docs.umbrella.com/umbrella-user-guide/docs/dns-policy-precedence

- Policy Precedence for WEB: https://docs.umbrella.com/umbrella-user-guide/docs/web-policy-precedence#match-an-identity

Regarding point 2, you mentioned it doesn't work as expected. Let's dig deeper, is the result of the policy tester the same as in reality? 

Yes the result of the policy tester is the same as in reality.

Ok, the next step would be to create a dummy DNS policy to match only that AD user and place it on top of the policy rack, adding a domain to be blocked. The takeaway of this test would be to see if there is any issue with that user/AD integration. You may check as well if the policy tester result is the same as in reality.