Web filtering not picking up user

Is this a Server Protection Client? So there is Intercept X for server installed? Check if this server is in the Best Protection EAP. 

Have installed v19 and then followed this article https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationConfigurePerConnectionAuth/index.html#create-firewall-rules-for-multi-user-host-traffic

I've attached web policy under the firewall rule - copy of the web policy below - but Auto-IT Admins are still blocked

Essentially you need to get AD SSO running and the Standard/Direct Proxy has to be enabled. 

I've done a bit of troubleshooting and it looks like since upgrading to v19 it's not automatically creating users from AD in the Sophos - it was before I upgraded.

Just to confirm;

Group policy auditing changed to enable successful logins

AD server added to Sophos - test connection works fine

AD server listed as the only authentication server in services / firewall auth methods

What am I missing?

I've done a bit of troubleshooting and it looks like since upgrading to v19 it's not automatically creating users from AD in the Sophos - it was before I upgraded.

Just to confirm;

Group policy auditing changed to enable successful logins

AD server added to Sophos - test connection works fine

AD server listed as the only authentication server in services / firewall auth methods

What am I missing?

Users essentially are not needed in the Firewall. But those users should be created by a successful authentication. 

Ok. But web filtering rules are not working on a per user basis using that config. It’s not recognising who is logged in to the terminal server.

So you are not seeing the user in Live Logging? 

Correct. No username is attached to anything.

I thought that was live logging. Where do I need to go to see live logging?

You need to look for current activities and live users. 

I disconnected all users from Sophos live users and also from the terminal server.

I logged in the to the server as "User1" and browsed the web but User2 popped up in the live users section on the sophos for that server.

Client type is STAS

Any ideas on this LuCar?

STAS? If you have a terminal server, STAS should exclude this terminal server. Essentially the best way is always to have one mechanism per client. So exclude in STAS your terminal servers.