Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 6 subscribers
  • Views 2197 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Moving from non-OU client structure to Importing from active directory in Sophos SafeGuard with existing auto-registered (non-active directory method of being added) clients

EricWoelfel

Hello,

I was curious if Sophos SafeGuard was capable of migrating from manual auto-registered clients to importing clients from active directory. Can you do both at the same time? Would you get duplicate entries? Any information around the migration process or quirks importing from active directory would be helpful. Thank you 



This thread was automatically locked due to age.
  • +1

    Hi  

    You can import an existing organizational structure into the SafeGuard Enterprise Database through an Active Directory. Please check this article for more information. If a computer or user is auto-registered while an Active Directory (AD) sync is performed, two objects may be generated in the SafeGuard directory. This can be solved by deleting the object that was added by the AD sync and leaving the one in the ".Auto registered" folder. The next AD sync will correctly move the object from the ".Auto registered" folder into the desired organizational unit. Let me know if you have any further queries. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to Shweta

    Does that mean that I would have to hand remove each duplicate entry under the AD tree after the first sync? Is there a script to search for duplicates and safe removal? As we support many clients and manual removal would be excessive. 

  • +1 in reply to EricWoelfel

    Hi  

    This can be done by running a few queries in SQL database( Safeguard ) for which I would suggest you to open a support case and PM me the case details. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to Shweta

    Additional Question: Is it possible to synchronize with only one OU within an active directory?

  • +1 in reply to EricWoelfel

    Yes it is. You could also modify perms to only allow the account you're using to read from that particular OU.

  • +1 in reply to MichaelMcLannahan

    What would be the benefit/purpose of enabling this feature during AD import:

     - Decide whether Active Directory group memberships should be synchronized with the SafeGuard Management Center

    Thank you!

  • +1 in reply to EricWoelfel

    It really depends on how you want to control policies/management. 

    If your whole estate is to be encrypted - it might make more sense to have everything sync'd, but I think especially true if you intend to use File Encryption as well as disk.

    With FE you'll want groups of users/computers to be able to decrypt/encrypt files. This in turn will need carefully management when Bob moves into Finance from HR and she has to have her perms changed. Without group "awareness" in SafeGuard - You'll need to manually sort this so she does/does not have perms/access to something she needs.

    With just DE I feel this (in my opinion) is less of an issue. The disks are encrypted. Users may or may not share computers - this wouldn't impact groups (to the same degree)

     

    So - In my VERY simple mind...Group sync is more relevant to FE and not DE.....

     

  • 0 in reply to EricWoelfel

    How about macOS computers bound to the active directory alongside Windows computers? Are there any ill effects to Macs in the imported OUs that have local users and FileVault (managed by SafeGuard)? We bind Macs to AD for admin elevation and administrator login access for technicians (After bypassing the FileVault login screen... it's not our intention to add technicians as authorized FileVault users with boot login). Our goal is to allow any user to login to a bound computer if they have AD access for Windows and only FileVault authorized users at boot and anyone in AD after FileVault/Boot login (same as Windows) for macOS. 

    Thank you all for answering my inquiries so quickly!

  • +1 in reply to EricWoelfel

    Hi Eric - I bind my macs to AD as a computer object, not as a user. My machines then exist in AD (for the benefit of SafeGuard) but the users log on locally with their own account rather than establishment account.

    There was a politics issue to this too - "We" didn't want to rock the boat with the way they accessed their device, more of a soft-touch management.

    Our setup works well though - I can still manage the Macs by policy I SafeGuard and as you mentioned, their local user is imported into the SafeGuard directory so we have some view over that too.

    Our important difference though (I'm assuming) is that we ONLY do DE, we do NOT to FE. I think if you have gone done that route (or intend to) then I would recommend much tighter integration and bind the Macs and users to your primary directory (AD) 

    You may want to consider alternatives like NOMAD too - It's like a "soft" bind for the Macs. You get many benefits but without some of the downsides! 

  • 0 in reply to MichaelMcLannahan

    We went the same route with DE only, seemed safest and less complicated. Thanks for all your insight Michael. 

Unfiltered HTML