Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 26 subscribers
  • Views 9084 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD Security Groups Not Populating

Navar Holmes

How do I force STAS to populate a security group that I have imported to XG?

I have imported Domain Users but no members.  Then tried a one of our department security groups and it also has no members.



This thread was automatically locked due to age.
Parents
  • 0

    Navar,

    importing all Domain users is not a best practice. You should import only certain groups and create Firewall Rules on those groups. Try this test to make sure that AD integration works:

    Once the group is imported, create a policy rule where only the imported group can surf on internet and check under authentication log if a user matching that rule is correctly authenticated.

    Also on the Control Center you should see Live users counter increased.

    Thanks

Reply
  • 0

    Navar,

    importing all Domain users is not a best practice. You should import only certain groups and create Firewall Rules on those groups. Try this test to make sure that AD integration works:

    Once the group is imported, create a policy rule where only the imported group can surf on internet and check under authentication log if a user matching that rule is correctly authenticated.

    Also on the Control Center you should see Live users counter increased.

    Thanks

Children
  • 0 in reply to lferrara

    I know domain users is not the best thing to do but we wanted to get XG Web filtering going.

    But we are have a bunch of STAS sync issues.  We have a security that has 25 users in it but only 17 show up.  The 8 other don't get the test policy/rule.

    I have created a security group and added my test account.

    But this test account was in another security that we already have in XG.  I have removed my test account but it still shows in the group when checking members in XG.

    How do I force a re-sync?

  • 0 in reply to Navar Holmes

    Navar,

    XG uses Tight integration , where the Username is fetched from the AD along  with its Group association, So if you have imported the Group from AD then it would be assigned to that Group only but Group association must be set primarily on AD server.  Unless the Group is not imported then it would set to Open Group by default .  Also if you create a Group on XG itself and manage to assign a user to be a member of the Group then also it would revert back after an authentication attempt. 

    See this thread!

    Hope it is clear.

  • 0 in reply to lferrara

    It is looking more and more like STAS is the issue.

    I just checked the 4 DCs and the agents has stopped on all of them.

    Here is what support recommended.

    Put agent and collector on DC01 and DC02.  Then for DC01 under STA Agent add DC02 to the collector list.  Then for DC02 under STA Agent add DC01 to the collector list.

    Then for DC03 and DC04 added both DC01 and DC02 to their collector list.

     

    We did have to stop using WMI for Workstation Polling and go with Registry Read Access because WMI was generating a ton of DCOM errors in the DC event log.

     

    I have also noticed that the XG box keeps disappearing from under the General tab "Sophos Appliances"

  • 0 in reply to Navar Holmes

    Navar,

    Make sure that all the firewall ports are opened:

    And all the steps needed are configured.

    Can you also share a dcom error you seee from events?

    Thanks

  • 0 in reply to lferrara

    We have 4 DCs.  Two run both collector and agent and two just run agents.

    Agent on the two run both functions keeps stopping.

     

    How depended is STAS on DNS?