FAQs for Active Directory users and groups
The firewall adds users to the imported Active Directory (AD) groups when it authenticates them.
User groups imported from AD
How do I import AD groups?
To configure an AD server and import AD groups to the firewall, see Configure Active Directory authentication.
In a high-availability cluster, import AD groups to the primary device.
If a group is added later to the AD server, is it synchronized automatically with the firewall?
No. You must import the group using the import assistant. See Import Active Directory groups.
Alternatively, create the group manually on both the AD server and the firewall.
When are AD users added to groups in the firewall?
When you import AD groups, only the groups you select are imported. Every time users sign in, the firewall evaluates their groups and applies the updates.
What happens when a user isn't part of a group in the firewall?
When a user signs in and none of the user's AD groups exist in the firewall, the firewall assigns the user to the default group.
You can see the default group on Authentication > Services, under Firewall authentication methods. By default, it's Open group.
Is the AD's primary group information added to the firewall?
Active Directory doesn't add its primary group information to the user or group attributes. So, the information isn't added to the firewall.
If you retain the AD's default primary group as Domain Users, the firewall doesn't add users to this group. If you change the AD's primary group to another, for example, Group A, the firewall doesn't add users to this group.
See the behavior in the following examples:
Do as follows:
-
In Windows, open Administrative Tools.
The steps differ depending on your operating system and its version.
-
Right-click the user, select Properties and go to Member Of.
The user belongs to Group A, Group B, and Group C, and the primary group is Domain Users.
-
Ask the user to sign in to the captive portal.
When the user is authenticated, they're imported into the firewall and mapped to the first group (Group A) on the list.
-
In Sophos Firewall, go to Authentication > Users and verify the user's groups.
Suppose the primary group in Active Directory is Group A rather than Domain Users. The firewall adds users to the next matching group on the list (for example, Group B).
In this example, change the user's primary group in the AD server, then verify the user's group in the firewall.
-
In Windows, open Administrative Tools.
The steps differ depending on your operating system and its version.
-
Right-click the required user, select Properties and go to Member Of.
-
Change the primary group to Group A.
The user's first group in the AD group list is A.
-
Ask the user to sign in to the captive portal.
When the user is authenticated, they're imported into the firewall and mapped to Group B.
-
In Sophos Firewall, go to Authentication > Users and check the user's group.
What's the priority for a user's AD groups in the firewall?
In the firewall, AD users have a main group and other group memberships.
Go to Authentication > Users and click the user you want. You can see the user's groups under Policies as follows:
- Group: User's first group on the firewall's group list when it authenticates the user. It's the user's main group in the firewall. Some rules and policies only support the main group. See Support for Active Directory group memberships.
- Other group memberships: Other groups the user belongs to.
Here's an example:
How do I import AD groups to a high-availability cluster?
Use the import assistant in the primary device. See Import Active Directory groups.
User groups in the firewall
How do I change a user's main group in the firewall?
The group order on Authentication > Groups in the firewall determines the user's main group.
A user's main group in the firewall can change due to any of the following:
- Adding or deleting the user's group or changing the user's group membership in AD.
- Changing the group order on Authentication > Groups in the firewall. Drag and drop the user's main group below the other groups the user belongs to.
When the user next signs in, the firewall adds or removes the user from groups based on the changes you make in AD. It then evaluates the groups' order in the firewall and sets the user's first group on the list as the user's main group.
How do I change the order on Authentication > Groups?
Do as follows:
Do all rules and policies support multiple group memberships?
Some rules and policies support multiple group membership for users. Others only support the user's main group. See Support for Active Directory group memberships.
For rules and policies that support multiple group membership, does the order of a user's groups matter?
For rules and policies that support multiple group membership, the firewall matches the rule or policy to traffic and then picks the first matching group in the rule or policy. This can be the main group or one of the other group memberships. See Support for Active Directory group memberships.
Does multi-factor authentication (MFA) support multiple group memberships?
No, MFA only supports the user's main group. See Authentication.
Managing users and groups in AD server and firewall
Where do I update the policies and settings for AD users and groups?
You can update the policies and settings on Authentication > Groups. Alternatively, you can update these for specific users on Authentication > Users.
If you specify the policies and settings for a user, these take precedence over the group's policies and settings.
When are updates applied to users?
You must wait till the user next signs in. Every time a user signs in, the firewall applies any updates to the user's groups, group order, and policies and settings.
How do I delete AD groups?
Do as follows:
- Delete them in the AD server.
- Delete them in the firewall.
How do I delete AD users?
You must delete the users from both the AD server and the firewall. If you don't delete the users from the AD server, they're created again in the firewall and authenticated if they try to sign in.
Do as follows:
- Delete the users from the AD server first.
-
Delete these users in the firewall as follows:
- Go to Authentication > Users.
-
Click Purge AD users.
You don't need to select these users. The firewall checks with the AD server and only purges AD users you've already deleted from the server.
In a high-availability cluster, purge AD users in the primary device. The firewall deletes these AD user records from the primary and auxiliary devices.
A purge doesn't interrupt user sign-in, sign-out, and user accounting.
Can I export or take a backup of AD users and groups?
The firewall only exports users that you manually create. It doesn't export users authenticated using an external authentication server, such as AD and RADIUS, although they're automatically added to the firewall when they sign in.
You can export the AD groups you import and those you manually create in the firewall.
All groups and users, including those from the authentication server, are part of the backups you take.
How can I authenticate users with multiple User Principal Names (UPNs)?
To authenticate users with multiple UPNs belonging to the same domain server, you must create DNS entries for each domain using the domain server's IP address, then configure AD servers for each domain using the AD domain name as the search query. See Authentication Multi UPN configuration.
Using AD with endpoint sign-ins
Can I use AD with endpoint sign-ins?
Yes. See Synchronized user ID authentication.
Does synchronized user ID authentication support locally-created users in the firewall?
No. See Synchronized user ID authentication.
Can the firewall authenticate remote desktop server (RDS) users without AD integration?
No.
More resources