This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD membership sync - particular group - syncs also account outside that group

Hello,

as the subject says, I have an issue with AD group sync. There is one user account that have been a member of the group I am syncing from AD in the past but now it is not - it's been verified by at least 2 pairs of eyes.

When I trigger manual sync from AD, sophos writes to log which accounts have been synced. Obviously, the account in question is not in the list (i.e. Sophos did not write a single line into log about it while syncing).

My question would be - why is that user still in my Sophos and how come Sophos boldly shows that it is still member of said group? See attached image.

Manual sync has been triggered like 15times already and automatic runs every day. Also, the user is not a member of the group since months if not years.

Thank you for any hint in advance, take care.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Could you please provide some more detail on what did you configure under Authentication Services > Advanced > Active Directory Group Membership Synchronization and > Prefetch Directory Users? 

    What is configured under prefetch interval, and did you enable AD group membership background sync? 

    Are you able to test the connection from the firewall to your AD server? 

    Thanks,

Reply
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Could you please provide some more detail on what did you configure under Authentication Services > Advanced > Active Directory Group Membership Synchronization and > Prefetch Directory Users? 

    What is configured under prefetch interval, and did you enable AD group membership background sync? 

    Are you able to test the connection from the firewall to your AD server? 

    Thanks,

Children
  • Hello ,

    thank you for the immediate feedback. I am sure attached image answers all the questions. The user in question is seen by Sophos as the member of the group being synced - the one starting with GLB* (in reality, the user is not the member). Sensitive info (e.g. company name) has been hidden.

    Active Directory infrastructure is up and running, perfectly reachable (verified by PING), users are able to log on, manual sync with  AD does not throw any error.