Changed Active Directory username and now user's external send emails are rejected

Steve,

When you configured Active Directory Synchronization it should have allowed you to set the number of hours between synch. I also recommend if you are making changes to manually go in and initiate a synch of the directory to avoid disruptions. Let us know if this has been solved or if needed open a support case.

How do I initiate a manual sync?

Go to settings and Directory Service and find your configured configuration and open it up and click Synchronize 

Go to settings and Directory Service and find your configured configuration and open it up and click Synchronize 

It turns out that AD Sync was not running.  I installed it and now all is well.  Thanks for the response.

One final question: can you point me to a document that explains how "People" and "Mailboxes" work?  Why are they different?  How do I know which ones I can delete?

Because Sophos Central manages many products that we produce we need both People and Mailboxes. Endpoint for instance isn't concerned with the user having a mailbox so the People designation is important where Email requires the Person to have a valid email address (think recipient validation). If you delete a person who has a mailbox and don't synch then we will reject email for that person both inbound and outbound. If you delete a person who doesn't have a mailbox but was automatically created say via the endpoint agent the next time that agent checks in it will likely recreate the People object. I wouldn't be concerned over that. 

One thing about AD Synch that I frequently see with customers is configuring to synch at the very top level DC=domain, DC=com but you can often run into issues where you will get external addresses synched into your Central (mail contacts) my recommendation is find the level where your Active Users are operating, OU=Users,DC........