This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory and groups in SEC

We have made several groups and synced the groups in SEC to Active Directory. There are 2 things that noticed me:

 

at first the count of computers in Ad where the same as in the groups from SEC. Now suddenly there are much less computers in SEC then there are in the connected OU's. It looks like the computers with error's which Sophos cannot install its software are not in the groups anymore, but this is a hunch...

When restarting SEC the groups are the the same as the OU's in AD with the same count off computers but several minutes later several computers disappear from the group in SEC and there are much less computers in SEC, why is this where are those computers?

Sync is set to 10 minutes

 

Second thing is that there are computers in the unassigned group which are also in the OU on AD in the groups that are synced with the groups in SEC. How can this be these are synced with AD...

 

 



This thread was automatically locked due to age.
Parents
  • Hello Corne Stoop,

    do you also Protect the computers automatically when they are synced? There's only a loose connection between AD and SEC, basically name, description, OS and its version, and of course the domain are considered. If after the Sophos installation the endpoint reports attributes different from those in AD (e.g. different OS version) this might cause an additional entry to be created. The SEC group will then contain an unmanaged computer, the managed endpoint will be in Unassigned. Comparing the two entries (tab Computer Details) should show the difference.

    Christian

  • Hi Christian,

     

    Yes also protect when syncing. I noticed that alle computers that fail to protect are windows 7 computers with no SP1 behind it in Sophos. They have windows 7 SP1 installed so Sophos is not reading this information. Or AD is not syncing good information.

    I have tried several computers that are pingable at the moment but protectinng is not succeeding. Maybe the SP1 information is missing is the couse of this? They have SP1 though..

     

     

    How can i solve this?

Reply
  • Hi Christian,

     

    Yes also protect when syncing. I noticed that alle computers that fail to protect are windows 7 computers with no SP1 behind it in Sophos. They have windows 7 SP1 installed so Sophos is not reading this information. Or AD is not syncing good information.

    I have tried several computers that are pingable at the moment but protectinng is not succeeding. Maybe the SP1 information is missing is the couse of this? They have SP1 though..

     

     

    How can i solve this?

Children
  • Hello Corne Stoop,

    computers that fail to protect
    if they are synced and Protect fails there should be an error message, the same for all or different ones?

    As long as the computer is unmanaged (grey, no green or red overlay on the icon) the attributes are taken from AD. If there's no SP1 indicated in the console it's likely not in AD. SEC should nevertheless attempt to protect them. If protection is successful the endpoint will report the expected name but an OS/SP version different from the one in AD so it won't match the synced computer (you should find the managed computer in the Unassigned group though).

    Christian

  • Not all computers that fail are in the unassigned group only a few.

    I noticed that for several computers have old ip's attached to it according to dns. When i want to connect to a computer that cannot be protected it failes. When looking at its hostname and ipnumber then the ipnumber it shows is pointed to another hostname so pinging is showing the wrong ipadres, it must be an dns issue however can this be the failure for Sophos....?

     

  • Hello Corne Stoop,

    incorrect resolution causes all kinds of problems, not only with Sophos' automatic protection. This could be the reason for failed installs.

    The duplicate computers, or computers in Unassigned aren't caused by DNS issues though but likely the incorrect information in AD (though the outdated information might be related to the DNS issues).

    Christian