This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.5.0 - AD Synchronization Interval Overrides Computer Description

In the Sophos Enterprise Console, we are using AD Synchronization.  I have noticed that the Computer Description keeps changing.  This is what's going on:

1. SEC sync's with AD and pulls the description from AD.
2. Then later on the Sophos Agent service will send the description set on the endpoint and SEC will set that as the new computer description.
3. AD Synchronization interval triggers and sets the description back to what is set in AD
4. Again later on the Sophos Agent service will send the description set on the endpoint and SEC will set that as the new computer description.

This cycle goes on and on in a continuous loop.  I would prefer the SEC to not pull the description from AD at all and allow what's set on the endpoint to take place permanently.  Is there a setting I'm missing to make this happen?  I'm assuming disabling AD Synchronization would do that but I need the computer names to still sync with the correct groups.

Thanks.



This thread was automatically locked due to age.
Parents
  • Hello B.Banner_Hulk,

    indeed - I've never noticed (no wonder as I don't use it in production). I assume you (or rather someone else) need the description in AD but as far as SEC is concerned you want the actual description set on the endpoint? AD sync can't be "customized", only if the AD Description is empty the endpoint's value wouldn't be overridden.

    Christian

  • You are correct, that I'd like to keep the descriptions in AD but have SEC pull the description from the endpoint.

    However, and as suspected, setting a blank description in AD caused the description to be blank in SEC as soon as it sync'd.  I have SEC set to sync with AD every 12 hours.  Now the blank AD object will be blank on the initial sync, then sometime within the next 12 hours the endpoint will send the correct description to SEC but then in exactly 12 hours SEC will set it back to the blank AD object description.  Annoying....

Reply
  • You are correct, that I'd like to keep the descriptions in AD but have SEC pull the description from the endpoint.

    However, and as suspected, setting a blank description in AD caused the description to be blank in SEC as soon as it sync'd.  I have SEC set to sync with AD every 12 hours.  Now the blank AD object will be blank on the initial sync, then sometime within the next 12 hours the endpoint will send the correct description to SEC but then in exactly 12 hours SEC will set it back to the blank AD object description.  Annoying....

Children
  • Hello B.Banner_Hulk,

    Annoying....
    indeed -
    strange that I can't remember any complaints in this regard. Sorry about the suggestion with the blank, didn't have time to test, will do tomorrow. Happen to have a dusty SEC5.2.1 on he shelve - just to make sure it behaved always like this. Furthermore I can't  see a rationale for this behaviour at the moment.

    Christian

  • Thanks Christian.  Please let me know your findings as I never really payed attention or had a need to use the descriptions listed in the SEC until now.

    From what I gathered, I thought SEC is supposed to only sync the AD computer description once.  Then the endpoint is supposed to send the computer description and that should take precedence over any other values.  This would make sense given that there is a "ComputerDescriptionOverride" reg key as described here: https://community.sophos.com/kb/zh-cn/110550

    Not sure if this is a bug in 5.5.0 or something broken with my server.

  • Hello B.Banner_Hulk,

    I never really payed attention or had a need to use the descriptions
    my words ... no bug, nothing's broken with your server - same behaviour with 5.2.1

    Christian