Synchronize with Active Directory

Before you perform this task:

  • If you use role-based administration, you must have the Computer search, protection and groups right. For more information, see Managing roles and sub-estates.
  • If you want to protect computers in synchronized groups automatically, make sure you have prepared the computers as described in Prepare for installation of security software.
  • If you have a complex Active Directory structure and want to synchronize domain local groups or nested Active Directory groups, enable this functionality as described in knowledgebase article 122529.

To synchronize with Active Directory:

  1. Select a group that will become your synchronization point, right-click and select Synchronize with Active Directory.
    The Synchronize with Active Directory wizard starts.
  2. On the Overview page of the wizard, click Next.
  3. On the Choose an Enterprise Console group page, select or create a Sophos Enterprise Console group that you want keep synchronized with Active Directory (synchronization point). Click Next.
  4. On the Choose an Active Directory container page, select an Active Directory container which you want to synchronize the group with. Enter the name of the container (for example, LDAP://CN=Computers,DC=domain_name,DC=local) or click Browse to browse to the container in Active Directory. Click Next.
    Important If a computer exists in more than one synchronized Active Directory container, it causes a problem, with messages being exchanged continually between the computer and Sophos Enterprise Console. Each computer should be listed only once in Sophos Enterprise Console.
  5. If you want to protect Windows workstations automatically, on the page Protect Computers Automatically, select the check box Install Sophos security software automatically, and then select the software you want to install.
    Note For a list of system requirements for the software, see the system requirements page on the Sophos website (
    • Before installing Firewall on computers, make sure you have configured the firewall to allow the traffic, applications, and processes you want to use. By default, the firewall is enabled and blocks all non-essential traffic. See Firewall policy.
    • Leave Third-Party Security Software Detection selected if you want to have another vendor's software removed automatically. If you need to remove another vendor's updating tool, see Remove third-party security software.

    All Windows workstations discovered during this and future synchronizations will be protected automatically, in compliance with their respective group policies.

    Important Computers running Windows server operating systems, Mac OS, Linux, or UNIX will not be protected automatically. You must protect such computers manually, as described in the Sophos Enterprise Console advanced startup guide.
    Note You can enable or disable automatic protection later, in the Synchronization properties dialog box. For instructions, see View and edit synchronization properties.

    Click Next.

  6. If you chose to protect computers automatically, on the Enter Active Directory Credentials page, enter the details of an administrator account that will be used to install software on the computers. Click Next.
  7. On the Choose the Synchronization Interval page, choose how often you want to synchronize the Enterprise Console group with the Active Directory container. The default is 60 minutes.
    Note You can change the synchronization interval later, in the Synchronization properties dialog box. For instructions, see View and edit synchronization properties.
  8. On the Confirm Your Choices page, check the details, and then click Next to proceed.
  9. On the last page of wizard, you can view the details of the groups and computers that have been synchronized.

    You can also set up email alerts to be sent to your chosen recipients about new computers and groups discovered during future synchronizations. If you chose to protect computers in synchronized groups automatically, you can also set up alerts about automatic protection failures. To open the Configure Email Alerts dialog box after you click Finish, select the check box on the last page of the wizard. For instructions, see Set up Active Directory synchronization email alerts.

    To close the wizard, click Finish.