Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 5 subscribers
  • Views 27026 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Purging old SafeGuard clients / Purging unassigned users

PeGuenther

Hi SOPHOS-Support-Team, hi SG-Admins,

we have two issues in our SafeGuard environment and want to purge old, inactive clients if possible.

We are running SafeGuard 6.00.10 on our SG Enterprise Server as well as on most of our SG Clients.


Case 1:

We are receiving all known client objects from our Active Directory via sync-job regardless if SafeGuard is in use or not. Only MobileClients will get SafeGuard installed. There are international ActiveDirectory SubSites where decommisioning of clients isn't working that well. There are Clients still registered in AD even when this clients are decommissioned already.
Now, while this offline clients still remain in AD, they are even still registered in SafeGuard. Even if there is no communication for more than six month, now. This situation brings us to a license issue. We have an amount of over 400 clients which haven't been connected to SG Enterprise Manager for over 6 month now.

Is there a way to purge inactive clients like that command "purgedb" found for Sophos Control Center even for SafeGuard Enterprise?

Case 2:

Sometimes our employees are using a SafeGuarded Notebooks for just a period of a month when they are on a business trip for example. While they use SafeGuard for the first time, there was a new certificate generated automatically for them.


After this first SafeGuard usage periode ends the user will go on working on a desktop without SafeGuard. The Notebook will be decommisioned and recycled for another usage after their return but the User Certificate still remains in the SafeGuard-Database which will be a problem later ...

When this One-Time SafeGuard-Users will become a SafeGuard User again in future, the old certificate with the very old and unknown password will be synced to that fresh SafeGuard-Installation. The User will become asked for that unknown old password.

Is there a way to query and detect Users with certificates but not asigned to a workstation?
May it be possible to purge all this users without workstation assignment?

Do you have Programms, Tools, Scripts or SQL-Queries to help us purging the old stuff out of the SG-Database?

Thanks in advance,

Peter

:44371


This thread was automatically locked due to age.
  • 0

    This is acutally a very good question and I to would like to know if there is anything we can do to manage and track these things. We have similar situations, but all we have to track is a spreadsheet which is manual and tedious, not a best practice at all.

    :44389
  • 0

    Hi Peter,

    you could write a script that does these purge jobs.

    Look at the API documentation: http://www.sophos.com/en-us/medialibrary/PDFs/documentation/sgn_60_m_eng_api.pdf

    Attached you find example code for both cases. These scripts are designed for running directly on the management server.

    Execution on another computer doesn't work. You can test scripts manually.

    on 32bit server : cscript scriptname

    on 64bit server: c:\windows\SysWOW64\cscript.exe scriptname

    Later you can run scripts by scheduled tasks.

    Rename files to extension vbs, edit variables to match your environment and then copy files to server.

    Deletion commands are currently being commented out, so scripts can't do harm. Deletion is only being written to log file.

    Please note that usage is at your own risk !

    Regards,

      Holger

    :44451
  • 0

    Hello Holger,

    thank you very much for your feedback and your solution - This looks great!

    It's just what I'm looking for - and it looks like I'm not the only one.

    Otherwise you won't be able to hand it over so quick - right?

    I'm not very familiar with that scripting language and that scripting API.

    I need to review and test it in another environment.

    Meanwhile I have raised a support call and got an answer as well.

    The guys told me what they need to tell me - it is dangerous to tweek the database, so I received

    database queries to produce a list of objects wich can be deleted by using the SG-Enterprise Console again.

    Better than nothing and helpful at the moment, but still a lot of work.

    I try to raise a feature request for that and you are welcome to add your statement here that you wish as well.

    It must be possible for a professional SG Developer to deliver a supported "purge"-tool like your script, right?

    I hope it's allowed to add the SQL-Queries here that were delivered by support-team -  Thanks guys!!!

    Best Regards from Munich,

    Peter

    :44721
  • 0

    I'd like to add somt details to the SQL queries supplied by Peter (PeGuenther):

    sg-db-query-user.txt can be used to identify users (or localusers) in the SafeGuard Enterprise Database that have a certificate assigned but do not (or no longer) have a User Machine Assignment associated to them.
    The query also picks up the creation and modify date from the users so you can easily see if those user accounts have been recently modified or not.

    sg-db-query-machines.txt will provide the date of the last client sync. This can be used to identify which clients haven't connected to the SafeGuard server for a certain time.

    Regards,

    Roman

    :44739
  • 0

    Hi Guys,

    we're currently working on a KBA describing how to identify (and purge) SafeGuard Clients that have not reported in for x-days using either SQL or the SGN API. Its currently work in processs but will be published soon under KBA ID 120086 - "How to identify old / no longer existing SafeGuard Enterprise Clients and remove them from the Database to free up licenses".

    A note on the "OrphanedUsers" API script (case2.txt) that was posted by Holger: This API script identifies SafeGuard Users with a Certificate assigned that currently have no User Machine Assignment and deletes the assigned Certificate. Keep in mind that this can be a very dangerous action if you're running an environment with Active Directory promoted Security Officers that do not use a SafeGuard Client!
    You're going to delete the Certificates from the Security Offciers and they will be unable to login to any SafeGuard Enterprise Managent Center / SafeGuard Web Help Desk console.

    Regards,
    Chris

    :44867
  • 0

    Hi Chris,

    I understand your concerns. On the other hand it is a bad idea not to use a SafeGuard Client as a Security Officer.

    Password would get out of sync with Windows password.

    Solution to your question :

    Script could additionally check if user is a Security Officer and skip deletion of certificate in this case.

    Regards,

    Holger

    :44879
  • 0

    Hi Chris,

    even if this thread is more than 1 year old.....

    u mentioned a planned KBA with status "work in progress" on this issue.

    But i still can't find it using the ID or title u mentioned right now.

    Can you give a hint where to find this kb article, since the issue is still a concern for us.

    THX

    Ralf

    :57536
  • 0

    Hi Ralf,

    my fault - created the content but didn't publish it. Sorry!

    You can either use the script linked above or the one from the - now published - Knowledge Base Article: https://www.sophos.com/en-us/support/knowledgebase/120086.aspx

    Regards,

    ChrisD

    :57547
Unfiltered HTML