Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 9230 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central ADSync removes users and groups from second synced AD forrest

Andreas Eisfeld

Hello Community,

we have following Problem with ADSync Tool:

There are two different Domains where ADSync Tool is installed to Sync Users and Groups. The first Domain e.g. domain.com the second  e.g. dev.domain.com.

When the sync of domain.com was running all Users and Groups from dev.domain.com are deleted.

I think the sync tool removes it, because it's like a subdomain and can't find it, but de dev.domain.com is a complete different Domain forrest.

Else the mail Attribute of users in dev.domain.com is username@domain.com.

After the deletion the Users and Groups are removed from the policies inside Sophos Central Endpoint.

 Is there a solution to Prevent the deletion of users and Groups in our Scenario.

 

Thanks for your Help

Andreas



This thread was automatically locked due to age.
Parents
  • 0

    Hello Andreas,


    Looking at the Sophos Central AD Sync documentation, I found this entry:

    It can synchronize multiple Active Directory forests. To do this, you need to install the utility on multiple machines and configure each utility to synchronize a different AD forest. We strongly recommend to synchronize different AD forests at different times of day, so that the synchronizations do not overlap.

    Can you confirm whether you are using that setup, or can you please try it and let us know if that alleviates the issue?

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • 0 in reply to Barb@Sophos

    Hello Barb,

    yes, we have installed the Utility on different machines inside the two different forrests and configure the sync in different times. We look before our implementation if it's a supported Scenario by reading the documentation you added to your answer.

    At Domain.com the Task runs at 3.00 AM. This Task delete the Users and Groups from the other Domain. At dev.domain.com it runs at 3.30AM. After this sync all users and Groups are added back to central.

    The main Problem ist not the temporary removement for some Minutes (But it's bad thing). The really big problem is, that the removed users and Groups are not more assigned to the rules of AppProtection etc.

    Which Attributes are checked by Sync Tool to remove a User or a Group?

    Regards 

Reply
  • 0 in reply to Barb@Sophos

    Hello Barb,

    yes, we have installed the Utility on different machines inside the two different forrests and configure the sync in different times. We look before our implementation if it's a supported Scenario by reading the documentation you added to your answer.

    At Domain.com the Task runs at 3.00 AM. This Task delete the Users and Groups from the other Domain. At dev.domain.com it runs at 3.30AM. After this sync all users and Groups are added back to central.

    The main Problem ist not the temporary removement for some Minutes (But it's bad thing). The really big problem is, that the removed users and Groups are not more assigned to the rules of AppProtection etc.

    Which Attributes are checked by Sync Tool to remove a User or a Group?

    Regards 

Children
Unfiltered HTML