Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 9 subscribers
  • Views 10552 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can sophos ad sync filter users on group membership?

Peter Vroegop

 Hi,

We have an existing AD configuration with a lot of user account together in only OU.
Some user account are only used for offboard users whice never login on the local network or use local resources.
Like users whice only receive mail on there mobiel device.

When I use the AD sync tool I can sync The OU and get all users in sophos central.
Also those who shall never logon
Other existing domain rules make it unpossible to seperate the user account on OU base.

The most easy way would be to create a Sophos needed user group whice contains those useraccounts whice must have sophos protection.
And the sync tool could filter the users in the selected OU on membership of this group.

However I don't know if this is possible and if, how to define the filter rule

I hope some one can help me out



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to RBGE

    Thanks RGBE, Thaks the rule I was looking for.

    I Got another issue.

    Our admins had to login with MFA, when I use this account(s) for synchronasation I got authentication failts, when I disable MFA.

    How can I keep Central safe with MFA and sync AD scheduled?

  • 0 in reply to Peter Vroegop

    I have a separate account set up for syncing that doesn't use MFA, and then enable MFA manually on the 'actual' admin accounts.  It's not the ideal option, and it would be nice if MFA could be enabled globally without breaking the sync and migration tools, but I don't think this is possible yet.

  • 0 in reply to RBGE

    However that means you created a (fake) useraccount (with admin rights?) only for the synchronisation

    I think thats not very secure, the fake account can logon to the console with admin rights without mfa.

    Or am I wrong

     

    Regards,

     

    Peter

  • 0 in reply to Peter Vroegop

    You're right, the account can log in to the admin console which does weaken security somewhat.  All I can do at this stage though is give it a beast of a randomly generated password that even I won't remember, and use it only for the sync and migration tools.  I suspect the issue here is that the sync tool can be run on a schedule, so unlike the migration or manual sync, it wouldn't even be possible to prompt for a code.

    I guess the alternative is to have the sync tool signed somehow so that it can bypass MFA, or do a one-time manual sign in to get a certificate for the relevant account and then sync using that, but currently it's not possible.

  • 0 in reply to RBGE

    Allright an additional account it will be.

    I created one, however I forgot how to set a users password and can not find a way to do this.

    Sorry for al those questions

    regards,

    Peter

  • 0 in reply to Peter Vroegop

    My memory might be a bit rusty here, but what I think you have to do is create the account with admin privs, then try to log in to the Central console as that user via the activation link in an email.  It'll go through the setup process, including setting a password (so make sure you have access to the email address it uses!).

Unfiltered HTML