Filter inactive AD users
Follow these instructions to stop the inactive users in your Active Directory (AD) domains from synchronizing with Sophos Central.
We recommend that you remove inactive users and devices rather than relying on filters. Inactive user accounts and devices are a security risk. For more information, see Set up synchronization with Active Directory.
When you set up AD Sync, you can use LDAP query filters to find the users and groups you want to synchronize. You can also change your filters and then synchronize again if you want to change the users, groups, and devices you're synchronizing. You can use LDAP attributes in your LDAP query filters to stop inactive users from synchronizing with Sophos Central.
You can use the
lastLogonTimestamp attributes. You need to consider how these attributes work when you use them. Using them doesn't guarantee live or accurate information.
lastLogonattribute is more likely to be up to date, but it isn't replicated across your domain controllers. This means you need to query every domain controller.
lastLogonTimestampattribute may be out of date. However, this is the attribute most people use when filtering out inactive users.
You can find more help on using these attributes in Understanding the AD Account attributes.
lastLogonTimestamp to filter out inactive users, do as follows:
- Determine your cut-off date and time for including users in your synchronization, for example, December 1, 2020, 00:01.
- Convert this to
LDAP/FILETIMEusing a conversion tool, such as LDAP, Active Directory and Filetime Timestamp Converter. Using our example cut-off date and time gives 132581431640000000.
- Set up synchronization with Active Directory synchronization if you haven't already done so.
- In Active Directory Synchronization Setup, click AD Filters.
- In the custom filters box, enter the
lastLogonTimestampand your converted cut-off date and time. For example,
- Review your settings and filters and synchronize.