I've recently started working at an organisation that is using Sophos Endpoint Protection as its anti-virus software. The environment uses Windows 2008 R2 servers on an Active Directory domain with Mac OS X clients as the desktops. We are trying to get Active Directory synchronization working for various OU's but are having problems.
I have only just started looking at this issue but what appears to be happening is that we are getting multiple entries for the same computer, in both the Unassigned and synchronized OU groups. The entry that shows up in the unassigned group is greyed out but checking the computer details shows as being bound to the domain. The entries in the synchronized OU are a mixture of greyed out, not up-to-date with a red cross on the computer name, and up-to-date with a green tick. Viewing the computer details the greyed-out computers show as being bound to the domain, and the entries with green ticks and red crosses show as being in a Workgroup.
I have tried deleting all entries for a computer in the synchronized OU and letting the synchronization process re-add the computer in to the group in the Sophos Manager. It does bring it back in to the sync'ed OU but is greyed out. If I reinstall the Sophos client on the computer it then creates a second entry in that OU which is enabled and showing a green tick, but when checking the computer details shows as being in a Workgroup rather than on the domain.
We would like to be able to use AD synchronization to manage our Sophos groups but don't seem to be able to get it to work successfully. I have done a bit of googling about this but haven't found a solution so far. I did find this discussion on here which sounded relevant and tried the suggestion, but as outlined earlier, it didn't resolve the issue.
http://www.sophos.com/en-us/support/knowledgebase/25160.aspx
Can anyone suggest how we can get AD synchronization successfully working with domain-bound Mac clients. I realise we can't have the client software automatically installed on Macs and we have another process to deal with that. We would just like to get the clients showing up in the synchronized groups correctly as managed and actively updating computers bound to the domain without multiple entries.
This thread was automatically locked due to age.
