Skip to content

Active Directory synchronization FAQ

Find answers to common questions about Active Directory synchronization in Sophos Central Admin.

Active Directory synchronization allows administrators to implement a service that maps users and groups from Active Directory to Sophos Central Admin and keeps them synchronized. You can set it up with Active Directory Synchronization Setup.

The Active Directory FAQ is split into two parts.

  • This page contains general information about Active Directory synchronization in Sophos Central Admin.
  • For general information about Active Directory Synchronization Setup, installation, supported platforms, synchronization errors, changing directory services, and removing Active Directory Synchronization, see Active Directory synchronization installation FAQ.
Where can I configure a proxy?

Active Directory Synchronization Setup (version 4.0) allows you to configure a proxy. You can do this in Sophos Credentials. See Set up synchronization with Active Directory.

Proxy settings area in Active Directory Synchronization Setup.

If you have a trial account, you use Sophos Central AD Sync Utility (version 3.5.4). You can't configure proxy details in this version.

In Sophos Central AD Sync Utility, the service runs using a local service account, which by default doesn't have access to authenticate through any proxies. You get the following error when dealing with a proxy connection issue:

Failed active directory synchronization. Reason: System.Net.Http.HttpRequestException
---> CommandLib.HttpRequestCommand+HttpStatusException: Exception of type 'CommandLib.HttpRequestCommand+HttpStatusException' was thrown.

If you need to create an account that does have access, this account must be able to log on in the following ways:

  • As a service.
  • Interactively.
  • As a batch.

The account must also have the rights to read Organizational Units (OU) on the Domain Controller that you want to synchronize.

The account must also have NTFS full permissions for C:\ProgramData\Sophos\Sophos Cloud AD Sync.

Note

Every time you change the service account used for synchronizing with Active Directory, you need to reconfigure Sophos Central AD Sync Utility.

There's also an additional Active Directory synchronization proxy workaround. See How to configure AD Sync Utility to use a proxy server?.

What are the LDAP filters?

Users are filtered with the LDAP query (&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!userAccountControl:1.2.840.113556.1.4.803:=2)).

The group LDAP filter for groups is (&(objectCategory=group)(objectClass=group)).

You can extend these filters on a per-domain basis. For more information about filtering and LDAP queries, see Sophos Central Admin AD Sync Utility filters.

We recommend that you remove inactive users and devices rather than relying on filters. See Filter inactive AD users.

How does synchronization import usernames?

We use Display name when importing users from Active Directory.

Example display name.

How does synchronization import an email alias address?

We use proxyAddresses for the alias.

Proxy addresses.

Where can I find the log files?

See Active Directory Sync Utility logging locations.

Note

If you need to open a support case, you need to give Sophos Support as much information from the log files as possible.

How does synchronization match Active Directory users to existing users?

We match Active Directory users by Domain Login (Domain/user) or email address (using mail).

Example domain logon. Example email address.

If there’s a match, this updates or replaces the Sophos Central Admin user that it matched with the data in Active Directory. The user icon changes from the Sophos Central Admin user icon Sophos Central user icon. to the Active Directory user icon Active Directory user icon..

We create a new user if the email address or the Sophos Central Admin user is different.

If needed, you can update user logins in Sophos Central Admin. For example, you can edit the login details associated with a device. See How to assign or remove an existing login for a user.

You can see the accounts that match before you synchronize. Click Preview and Sync... to do this.

Preview and Sync... option.

If there’s a match, you’ll see this on the Users to Modify tab.

If there’s no match, you’ll see the user on the Users to Add tab. You can choose to reject changes.

For information on resolving issues with linking between Sophos Central Admin users and Microsoft Entra ID, see Why are some Azure AD synced users not linked to a device-created user and show as duplicates.

What happens if I remove a user in Active Directory?

Synchronization can result in the user being removed from Sophos Central as well. This depends on their role.

We don't automatically remove a user if they have a Sophos Central administrator role like Admin, Super Admin, or Custom, or if they have an associated device or login. You still see the user in the People page but their icon changes from the AD synchronized user icon Active Directory user icon. to a regular Sophos Central user icon Sophos Central user icon..

However, if a user has the User role, or doesn't have an associated device or login, we automatically remove them.

Why are changes in Active Directory not reflected in Sophos Central Admin?

We don't automatically remove a user with an administrator role in Sophos Central Admin who is also an Active Directory user. This also applies to primary email address changes for users with a Sophos Central Admin role.

To remove a user with an administrator role (after they've been removed in Active Directory) or change the associated email address, you need to demote that user (in Sophos Central Admin) and remove their administrator role. The next time you synchronize with Active Directory, we remove their account or update their email as appropriate. If you updated their email address, you can then assign them an administrator role.

Why did the name of a user change after synchronization?

This can happen when a user has been given a different user's device login. This means that a user record in Active Directory has the device logins for two different people.

For example, user A has device logins for both userA/domain and userB/domain. User B has a device login for userB/domain.

We synchronize user A first and associate both device logins with user A. When the synchronization process reaches user B and tries to create the user it finds user B's device login under user A. This matches user B to user A. We then change user A’s name to user B.

To fix this, do as follows:

  1. Find the user in Sophos Central Admin.
  2. Check their logins and remove any that don't belong to them.
  3. Synchronize.
Why can't I assign a role to an Active Directory managed user?

This typically happens if there are duplicate users. To fix the issue, do as follows:

  1. Go to People > Manage Users & Groups > Users in Sophos Central Admin.
  2. Search for the user's email address.

    • If you get more than one result returned for the user, go to step 3.
    • If you have only one user go to step 7.
  3. Determine which one of the duplicate user accounts you would like to assign a role to.

  4. Click each of the duplicate users that you don't want to assign a role to and do as follows:

    1. Click Edit logins.
    2. Make a note of the sign-in credentials for the user.
    3. Remove all the associated sign-in credentials from the user.
    4. Click Save.
  5. Click the user you want to assign a role to and do as follows:

    1. Click Edit logins.
    2. Add all of the credentials you removed from the duplicate users.
    3. Click Save.
  6. Assign the role to the user. Check that you can save this and that the user receives the setup email.

  7. If you still get an error saying that the user can't be edited or saved, this usually means that the email address has already been used in Sophos Central. To release the email address so that you can use it again, follow the steps in Unable to modify a user's role.

Why are users linked to groups that they're not members of?

We show nested Active Directory groups as linked groups in the Groups area of the user's page in Sophos Central Admin.

In the following screenshot, there are four groups shown for the user in Sophos Central Admin.

Example of nested groups in Sophos Central Admin.

The user is only a direct member of one group. The other three groups are nested groups that are linked to this user. The user isn't a member of these linked groups.

Active Directory nested groups linked to a user.

Why does the number of members of the Domain Users group not match Active Directory?

See Failure to create a group or reflect the correct number of users.

Why isn't a Mac associated with a synchronized user?

Active Directory Synchronization Setup imports login names as [NetBIOSDomainName]\[User]. A Mac reports the username as [MacComputerName]\[User]. As a result, a Mac doesn't associate with the synchronized user, and a new user is created based on the [MacComputerName]\[User] login name.

To map the Mac to the Sophos Central Admin user, you can delete the auto-generated user ([MacComputerName]\[User]), and then map the login, for example, [MacComputerName]\[User] to the AD Sync created user.

You can override this information locally. See How to enable domain overrides for reported users.

Why are empty mailboxes appearing after synchronization?

Empty mailboxes appear if the Exclude disabled user accounts setting is turned off in the synchronization options. When this setting is turned off, you'll get duplicate mailboxes for your shared mailboxes in Sophos Central.

To prevent this, we recommend you turn on the Exclude disabled user accounts setting.

If you turn this setting on, mailboxes with an empty delegate list aren't synchronized. This means the additional shared mailboxes won't synchronize and appear in the dashboard if the disabled users aren't synchronized.

Why do the AD Sync events in the Central Audit log display the modifier identity as a globally unique identifier (GUID)?

Starting with version 5.x of the AD sync client, the audit log entries for AD directory sync activities will no longer use the identifiers of client credentials for sync authentication. This includes directory object create, update, delete audits, and other sync events. Instead, the audit event modifier field displays the GUID of the AD sync client registered with Sophos.