You can create user records locally on the firewall for users and administrators.
The list also shows the users on your external authentication servers. These records are added when users are authenticated for the first time. See Servers.
The firewall doesn't authenticate users with a user ID value above 65535. So, such users can't become live users. See Live users.
Users and groups
A user can belong to more than one group. See FAQs for Active Directory users and groups.
The firewall applies the group's settings if you select only the group in rules and policies. It applies the user's settings if you select both the user and their group.
If you don't want to authenticate specific Active Directory users any longer, remove their records from the AD server. On the firewall, click Purge AD users to remove the records locally.
A purge doesn't interrupt user sign-in, sign-out, and accounting events.
In a high-availability cluster, the firewall deletes user records from the primary and auxiliary devices.
To change users' statuses between active and inactive, select the users and click Change status.
- To see more details, click Show additional properties and select the options.
- To import or export user records, go to Backup and firmware > Import export.
Active Directory users
Active Directory (AD) users can belong to more than one group.
- Group: Shows the main group of an AD user.
- Other group memberships: Shows the other groups of an AD user.
To manage AD users, see FAQs for Active Directory users and groups.
Some rules and policies support multiple group membership. See Support for Active Directory group memberships.
You can identify if a user is configured locally on Sophos Firewall or has been imported from Active Directory (AD).
To identify users, do as follows:
- Go to Authentication > Users.
- Click a name to edit that user.
- You can change the password and groups of local users. You can't change these settings for AD users.