Synchronizing with Active Directory
This section gives an overview of Active Directory synchronization.
What does Active Directory synchronization do for me?
With Active Directory synchronization, you can synchronize Sophos Enterprise Console groups with Active Directory containers. New computers and containers discovered in Active Directory are copied into Sophos Enterprise Console automatically. You can also choose to protect discovered Windows workstations automatically. This allows you to minimize the time in which computers can become infected and reduce the amount of work you need to do to organize and protect computers.
After you have set up synchronization, you can set up email alerts to be sent to your chosen recipients about new computers and containers discovered during future synchronizations. If you choose to protect computers in synchronized Sophos Enterprise Console groups automatically, you can also set up alerts about automatic protection failures.
How does Active Directory synchronization work?
In Sophos Enterprise Console, you can have both “normal,” unsynchronized groups that you manage yourself and groups synchronized with Active Directory.
When setting up synchronization, you select or create a synchronization point: a Sophos Enterprise Console group to be synchronized with an Active Directory container. All computers and subgroups contained in the Active Directory are copied into Sophos Enterprise Console and kept synchronized with Active Directory.
After you set up synchronization with Active Directory, the synchronized part of Sophos Enterprise Console group structure matches exactly the Active Directory container it is synchronized with. This means the following:
- If a new computer is added to the Active Directory container, then it also appears in Enterprise Console.
- If a computer is removed from Active Directory or is
moved into an unsynchronized container, then the computer is moved to the
Unassigned group in Sophos Enterprise Console. Warning When a computer is moved to the Unassigned group, it stops receiving new policies.
- If a computer is moved from one synchronized container to another, then the computer is moved from one Enterprise Console group to the other.
- If a computer already exists in a group when it is first synchronized, then it is moved from that group to the synchronized group that matches its location in Active Directory.
- When a computer is moved into a new group with different policies, then new policies are sent to the computer.
By default, synchronization occurs every 60 minutes. You may change the synchronization interval if required.
How do I approach synchronization?
It is your decision what groups to synchronize with Active Directory and how many synchronization points to set up. Consider whether the size of groups that will be created will be manageable. You should be able to deploy software, scan and clean up computers easily. This is especially important for the initial deployment.
The recommended approach is as follows:
- Import the group structure (without computers), using the Import from Active Directory function. For instructions, see Import containers and computers from Active Directory.
- Review the imported group structure and choose your synchronization points.
- Set up group policies and apply them to the groups and subgroups. For instructions, see Create a policy and Assign a policy to a group.
- Synchronize your chosen synchronization points, one at a time, with Active Directory. For instructions, see Synchronize with Active Directory.