Hi All,
We are seeing a few (not all) Windows 10 machines getting stuck in the Unassigned group in SEC. We have AD sync configured so I can't manually move the PC to the correct OU to get it's policies. Where can I look please to see if there are any errors/clues on either the client or server?
Also can I install Sophos with the -G switch if I have AD Sync configured?
TIA
Stuart
Hello Stuart,
AD Sync should grab a matching computer object from whatever group it is in (whether the default Unassigned, one specified with -G, or by a manual move before AD Sync has been enabled) and move it to the applicable group. V.v. if it finds a computer in the sync'ed group that from its POV doesn't belong there it will move it to Unassigned. That a computer pops up in Unassigned suggests that there's already on with the same name in the group associated with its OU. You won't see any error when this happens.
Christian
Hi Christian
Thanks for the reply.
I have doubled checked our AD Users and Computers and the computers in question only exists once in AD in the correct OU. Other computers in the same OU are syncing fine with Sophos, I just have 4 Windows 10 computers that are in the unassigned folder in Sophos. I have tried deleting them, performing a rediscover, reinstalled Sophos on the EndPoint, but no joy, they remain in the unassigned group in Sophos?
Cheers
Stuart
Hello Stuart,
by design there are no duplicates in AD.
Unless this is a quirk of AD Sync I haven't seen yet these computers have already a "twin" in the correct SEC group - could you check? If there are no twins please verify, if possible, that Sync is syncing these computers. Turn off one of the computers. In the console click All in the Computers pane on the dashboard, use CTRL+F, enter the name and click Find Next. Delete this instance, click Find Next to make sure there is no other instance. After the next sync the computer should have reappeared and be in the correct SEC group.
Christian
Hi
There are no duplicate computers in Sophos either? I did delete the computer from Sophos anyway, then tried what you suggested and it just reappeared in the unassigned group? I tried this with 2 computers and got the same result? AD Sync is working apart from this as I created a new OU recently and that was synced to Sophos no problem?
Thanks
Stuart
Hello Stuart,
it just reappeared in the unassigned group
and the computers were switched off? This would be very strange. AD Sync works like this: The computers in the OU tree are enumerated as are the computers in the associated SEC groups. Computers from the OU tree not in the SEC groups are added to the applicable group, computers in one of the SEC groups not in the OU tree are moved to Unassigned. Thus a computer from AD not in SEC at all before the sync shouldn't appear in Unassigned afterwards.
Apart from the name additional attributes are considered when Sophos is installed on an endpoint and the endpoint sends its status to SEC - domain/workgroup and operating system and version. If the endpoint is joined the domain should match, OS (version) might differ though. In that case you'll get an (unmanaged) computer in the correct group and a managed one in Unassigned.
To summarize, if the AD OU1 is snyc'ed with SEC's GrpSYNC and PC7-OU1OU2 is in the child-OU OU1\OU2 then a computer with the name PC7-OU1OU2 should be in SEC's GrpSYNC\OU2.
Christian
Sorry for opening this older thread.
We have the same annoying Problems with unassigned groups while migrating from Windows 7 to Windows 10. The migrated computers where renamed to reflect the new OS (W10- instead W7) now for some computers they are doubly present where the active (green) one is unassigned and the inactive (grey) one is in the correct group. Please tell us how to fix that!
Thanks,
Dirk
Hi Dirk,
My suspicion for why this happens is that the Sophos Endpoint is installed on the endpoints before the computer is pulled via AD Sync to Enterprise Console. After install the machine will go to the unassigned group as there is no reference of it, then when an AD sync is performed a new grey entry is added to the proper group. To prevent this you can use the "Install Sophos security software automatically", so the software is guaranteed to installed after an AD Sync.
As for how to fix the current machines, this is likely not supported but should work:
1. Take a backup of your SOPHOS5## database: https://community.sophos.com/kb/en-us/114299
2. In an administrative command prompt, run the below command to get a list of computer entries in your SOPHOS551 database with duplicate names:
sqlcmd -E -S .\sophos -d sophos551 -Q "select * from computersanddeletedcomputers where name in (select name from computersanddeletedcomputers group by name having count(name)>1)"
3. Run the below command to delete the computer entries in your database with duplicate names:
sqlcmd -E -S .\sophos -d sophos551 -Q "Delete from computersanddeletedcomputers where name in (select name from computersanddeletedcomputers group by name having count(name)>1)"
When the computers re-connect to Sophos Enterprise Console, they should repopulate themselves in the correct AD synced group.
Hello Dirk and MEric,
MEric already described how to deal with the duplicates. Allow me some addition though:
this happens [when] Sophos Endpoint is installed on the endpoints before the computer is pulled via AD Sync
I don't think this is a sufficient condition because after deletion the re-connect can occur before or after the next sync. In the former case the endpoints will first (re)appear in Unassigned and subsequently sync will move them to the correct group. Haven't tested AD sync for some time but as far as I can tell the duplication can occur when Sophos is installed before the computer is joined to the domain. The computer reports workgroup membership and is subsequently joined to the domain. If AD sync imports the computer object before the endpoint sends its updated status that indicates domain membership there will be two computers in SEC. If the status update happens before the sync the computer will be correctly moved though. A similar race condition can happen when computers are renamed.
Christian
Thanks for your replies guys. For me it is a bug.
Sophos WERE already installed on these computers, the computers were in the same AD OU, they were always a joined part of the domain, nothing changed, Sophos seems to have problems to recognize a simple computer name change, what shouldn't as in the AD the machines still had and have the same SSID. My workaround is to delete both of the computers and then let them rediscover. Sometimes this works asap, sometimes I had to delete them more often until they get recognized correctly again.
cheers
Dirk
Hello Dirk,
Sophos doesn't use the SID - and using the SID would just shift the problem. In case of a reinstall of a computer it's the SID that will change, as it will in the install-before-join scenario.
It's IMO not a bug as there's no solution to the "is this the same computer?" - or is this Theseus' Computer - problem. Whatever algorithm you devise there's always at least one scenario where it either produces unwanted additional objects or merges some.
Christian
