Active Directory synchronization FAQ

Find answers to common questions about Active Directory synchronization in Sophos Central Admin.

Active Directory synchronization allows administrators to implement a service that maps users and groups from Active Directory to Sophos Central Admin and keeps them synced. You can set it up with Active Directory Synchronization Setup.

The Active Directory FAQ is split into two parts.

  • This page contains general information about Active Directory synchronization in Sophos Central Admin.
  • For general information about Active Directory Synchronization Setup, installation, supported platforms, synchronization errors, changing directory services, and removing Active Directory Synchronization, see Active Directory synchronization installation FAQ.

Where can I configure a proxy?

Active Directory Synchronization Setup (version 4.0) allows you to configure a proxy. You can do this in Sophos Credentials. See Set up synchronization with Active Directory.

Proxy settings area in Active Directory Synchronization Setup

If you have a trial account, you use Sophos Central AD Sync Utility (version 3.5.4). You can't configure proxy details in this version.

In Sophos Central AD Sync Utility, the service runs using a local service account which by default doesn't have access to authenticate through any proxies. You get the following error when dealing with a proxy connection issue:

Failed active directory synchronization. Reason: System.Net.Http.HttpRequestException 
---> CommandLib.HttpRequestCommand+HttpStatusException: Exception of type 'CommandLib.HttpRequestCommand+HttpStatusException' was thrown.

If you need to create an account that does have access, this account must be able to log on in the following ways:

  • As a service.
  • Interactively.
  • As a batch.

The account must also have the rights to read Organizational Units (OU) on the Domain Controller that you want to sync.

The account must also have NTFS full permissions for C:\ProgramData\Sophos\Sophos Cloud AD Sync.

Note Every time you change the service account used for synchronizing with Active Directory, you need to reconfigure Sophos Central AD Sync Utility.

There's also an additional Active Directory synchronization proxy workaround. See How to configure AD Sync Utility to use a proxyserver?.

What are the LDAP filters?

Users are filtered with the LDAP query (&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!userAccountControl:1.2.840.113556.1.4.803:=2)).

The group LDAP filter for groups is (&(objectCategory=group)(objectClass=group)).

You can extend these filters on a per-domain basis. For more information about filtering and LDAP queries, see Sophos Central Admin AD Sync Utility filters.

We recommend that you remove inactive users and devices rather than relying on filters. See Filter inactive AD users.

How does synchronization import usernames?

We use Display name when importing users from Active Directory.

Example display name

How does synchronization import an email alias address?

We use proxyAddresses for the alias.

Proxy addresses

Where can I find the log files?

See Active Directory Sync Utility logging locations.

Note If you need to open a support case, you need to give Sophos Support as much information from the log files as possible.

How does synchronization match Active Directory users to existing users?

We match Active Directory users by Domain Login (Domain/user) or by email address (using mail).

Example domain logon Example email address

If there’s a match, this updates or replaces the Sophos Central Admin user that it matched to with the data in Active Directory. The user icon changes from the Sophos Central Admin user icon Sophos Central user icon to the Active Directory user icon Active Directory user icon.

We create a new user if the email address or the Sophos Central Admin user is different.

If needed, you can update user logins in Sophos Central Admin. For example, you can edit the log in details of a user associated with a device. See How to assign or remove an existing login for a user.

You can see the accounts that match before you synchronize. Click Preview and Sync... to do this.

Preview and Sync... option

If there’s a match, you’ll see this on the Users to Modify tab.

If there’s no match, you’ll see the user on the Users to Add tab. You can choose to reject changes.

For information on resolving issues with linking between Sophos Central Admin users and Azure AD, see Azure AD.

What happens if I remove users in Active Directory?

If the user has a device login, a mailbox or a Sophos Central Admin administrator role, we keep the user in Sophos Central Admin.

The user icon changes from the Active Directory user icon Active Directory user icon to the Sophos Central Admin user icon Sophos Central user icon.

If the user doesn't have a device login, a mailbox or a Sophos Central Admin administrator role, we delete the user.

Why are changes in Active Directory not reflected in Sophos Central Admin?

We don't automatically remove a user that has an administrator role in Sophos Central Admin who is also an Active Directory user. This also applies to primary email address changes for users that have a Sophos Central Admin role.

To remove a user with an administrator role (after they have been removed in Active Directory) or change the associated email address, you need to demote that user (in Sophos Central Admin) and remove their administrator role. The next time you synchronize with Active Directory, we remove their account or update their email as appropriate. If you updated their email address, you can then assign them an administrator role.

Why did the name of a user change after synchronization?

This can happen when a user has been given a different user's device login. This means that a user record in Active Directory has the device logins for two different people.

For example, user A has device logins for both userA/domain and userB/domain. User B has a device login for userB/domain.

We synchronize user A first and associate both device logins with user A. When the synchronization process reaches user B and tries to create the user it finds user B's device login under user A. This matches user B to user A. We then change user A’s name to user B.

To fix this, do as follows:

  1. Find the user in Sophos Central Admin.
  2. Check their logins and remove any that don't belong to them.
  3. Synchronize.

Why can't I assign a role to an Active Directory managed user?

This typically happens if there are duplicate users. To fix the issue, do as follows:

  1. Go to Overview > People in Sophos Central Admin
  2. Search for the user's email address.
    • If you get more than one result returned for the user go to step 3.
    • If you have only one user go to step 7.
  3. Determine which one of the duplicate user accounts you would like to assign a role to.
  4. Click each of the duplicate users that you don't want to assign a role to and do as follows:
    1. Click Edit logins.
    2. Make a note of the sign-in credentials for the user.
    3. Remove all the associated sign-in credentials from the user.
    4. Click Save.
  5. Click the user you want to assign a role to and do as follows:
    1. Click Edit logins.
    2. Add all of the credentials you removed from the duplicate users.
    3. Click Save.
  6. Assign the role to the user. Check that you can save this and that the user receives the setup email.
  7. If you still get an error saying that the user can't be edited or saved, this usually means that the email address has already been used in Sophos Central Admin. To release the email address so that you can use it again, follow the steps in Unable to modify a user's role.

Why are users linked to groups that they're not members of?

We show nested Active Directory groups as linked groups in the Groups area of the user's page in Sophos Central Admin.

In the following screenshot, there are four groups shown for the user in Sophos Central Admin.

Example of nested groups in Sophos Central Admin

The user is only a direct member of one group. The other three groups are nested groups that are linked to this user. The user isn't a member of these linked groups.

Active Directory nested groups linked to a user

Why does the number of members of the Domain Users group not match Active Directory?

See Failure to create a group or reflect the correct number of users.

Why isn't a Mac associated with a synchronized user?

Active Directory Synchronization Setup imports login names as [NetBIOSDomainName]\[User]. A Mac reports the username as [MacComputerName]\[User]. As a result, a Mac doesn't associate with the synchronized user and a new user is created based on the [MacComputerName]\[User] login name.

To map the Mac to the Sophos Central Admin user you can delete the auto-generated user ([MacComputerName]\[User]) and then map the login, for example, [MacComputerName]\[User] to the AD Sync created user.

You can override this information locally. See How to enable domain overrides for reported users.