Sophos AD Sync Filters

Hi,

I've inherited the system and noticed that we have 1000s of users in Sophos Central even though we should probably have around 1000-1500.

A little OU structure overview:

Admins top level OU (no users in root)

-Sub OU 1 (users)

-Sub OU 2 (users)

-Sub OU 3 (users)

Users top level OU (contains users in root)

-Sub OU 1 (users)

-Sub OU 2 (users) - This OU has 1000s of users and only a handful of them ever logged in.

-Sub OU 3 (users)

-Sub OU 4 (users)

Is there a way to create an LDAP filter for all users and admins that would only sync users who logged on in XX days? Say 30 days?

Alternatively if the above is not possible I am thinking to have have a filter based on group memberships.

Anyone has a suggestion about an LDAP filter that could work for the above scenario?

Granted, the OUs could do with a little restructuring but I think of that as last resort for now.

Regards,

LP

Parents
  • Hi LP,

    Thanks for reaching out to the Sophos Community Forum. 

    If you are looking to filter out the users that have never logged on, it is possible to do so using "lastLogonTimestamp<=". 

    I recommend looking into the attribute a bit further to better understand it, as the actual date of the most recent logon can be different than the value returned from AD. What may work best is to run a report for this value and the usernames from your active directory environment to view the results in a CSV or Excel document. You can then order the list by "lastLogonTimestamp" to see if using this type of filter will accomplish what you're aiming to do.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Qoosh,

    Thanks for your suggestion. The filter seem to be working however would it be possible to tie it to certain number of days instead? Let's say if the lastLogonTimestamp is older than 30 days don't sync it (or in other words, if lastLogonTimestamp is within the last 30 days, sync it)

    Also just to tackle this from different angles could we tie the filter to group membership so only users who are members of a certain group get synced? 

    Regards,

    LP

Reply
  • Hi Qoosh,

    Thanks for your suggestion. The filter seem to be working however would it be possible to tie it to certain number of days instead? Let's say if the lastLogonTimestamp is older than 30 days don't sync it (or in other words, if lastLogonTimestamp is within the last 30 days, sync it)

    Also just to tackle this from different angles could we tie the filter to group membership so only users who are members of a certain group get synced? 

    Regards,

    LP

Children
No Data