Filter inactive AD users

Follow these instructions to stop the inactive users in your Active Directory domains from synchronizing with Sophos Central.

Warning We recommend that you remove inactive users and devices rather than relying on filters. Inactive user accounts and devices are a security risk. For more information, see Set up synchronization with Active Directory.

You can use LDAP query filters when you set up AD Sync to find the users and groups you want to synchronize. You can also change your filters and then synchronize again if you want to change the users, groups and devices you are synchronizing. You can use LDAP attributes in your LDAP query filters to stop inactive users from synchronzing with Sophos Central.

You can use the lastLogon and lastLogonTimestamp attributes. You need to take into account how these attributes work when you use them. Using them doesn't guarantee live or accurate information.

  • The lastLogon attribute is more likely to be up to date, but it isn't replicated across your domain controllers. This means you need to query every domain controller.
  • The lastLogonTimestamp attribute may be out of date. However, this is the attribute most people use when filtering out inactive users.

You can find more help on using these attributes in Understanding the AD Account attributes.

Restriction Synchronizing Organizational Units may not be available for all customers yet.

To use lastLogonTimestamp to filter out inactive users, do as follows:

  1. Determine your cut-off date and time for including users in your synchronization, for example, December 1, 2020, 00:01.
  2. Convert this to LDAP/FILETIME using a conversion tool, such as LDAP, Active Directory and Filetime Timestamp Converter.
    Using our example cut-off date and time gives 132581431640000000.
  3. Set up synchronization with Active Directory synchronization, if you haven't already done so.
  4. In Active Directory Synchronization Setup, click AD Filters.
  5. In the custom filters box, enter lastLogonTimestamp and your converted cut-off date and time.
    For example, lastLogonTimestamp >=132581431640000000.
  6. Review your settings and filters and synchronize.