Users who log on to SafeGuard Enterprise need to be authenticated against Active Directory
before they have access to their key rings.
If you use BitLocker managed by SafeGuard
Enterprise you need to allow registration of new SGN users for
- In the Policies navigation area, create a new policy of the type
Specific Machine Settings or select an existing one.
- In the User Machine Assignment (UMA) section, go to the
Allow registration of new SGN users for setting and select
Everybody from the drop-down list.
- Go to Users and Computers and assign the policy to your user groups.
If users cannot be authenticated when they log on they will be moved to the
.Unconfirmed Users group. This group is displayed in the global root node
and in every domain or workgroup.
Possible reasons for which users cannot be authenticated when they log on are:
The user provided credentials that do not match the credentials stored in Active
The user is a local user on the endpoint.
The Active Directory authentication server is not reachable.
The user belongs to a domain that is not imported from Active Directory.
Note: These users
will be added to the global .Unconfirmed Users group that is displayed
directly below the Root node in Users and
The authentication failed due to an unexpected error.
See also Sophos knowledgebase article 124328.
Note: Only Active Directory users can be authenticated. This requires that Active Directory is
As long as users reside in the .Unconfirmed Users group they do not have
access to their key rings.
If you click on an .Unconfirmed Users group, details of the users in the
group are displayed in the Unconfirmed Users tab on the right-hand
pane, for example, the reason why the user has been moved to this group.
The Client Status dialog on the users' endpoints displays
unconfirmed user under SGN user state:.