Enhanced authentication - the .Unconfirmed Users group

 WinClient     macClient

Users who log on to SafeGuard Enterprise need to be authenticated against Active Directory before they have access to their key rings.

If users cannot be authenticated when they log on, they will be moved to the .Unconfirmed Users group. This group is displayed in the global root node and in every domain or workgroup. Enhanced authentication applies to Windows and macOS users.

Possible reasons for which users cannot be authenticated when they log on are:

• The user provided credentials that do not match the credentials stored in Active Directory.

• The user is a local user on the endpoint.

  Since only Active Directory users can be authenticated using a domain controller, a local user will always be moved to the .Unconfirmed Users group when they log on for the first time.

• The Active Directory authentication server is not reachable.

• The user belongs to a domain that is not imported from Active Directory.

  In this case users will be added to the global .Unconfirmed Users group that is displayed directly below the Root node in Users and Computers.

• The authentication failed due to an unexpected error.

See also Sophos knowledge base article 124328.

As long as users reside in the .Unconfirmed Users group they do not have access to their key rings.

If you click on an .Unconfirmed Users group, details of the users in the group (for example, the reason why a user is in the group) are displayed in the Unconfirmed Users tab in the right-hand pane.

On Windows endpoints, the Client Status dialog displays unconfirmed user under SGN user state.

On macOS endpoints, the User tab of the Sophos SafeGuard Preference pane displays Unconfirmed user under SafeGuard User State.

For logged events, see Auditing.