This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD membership sync - particular group - syncs also account outside that group

Hello,

as the subject says, I have an issue with AD group sync. There is one user account that have been a member of the group I am syncing from AD in the past but now it is not - it's been verified by at least 2 pairs of eyes.

When I trigger manual sync from AD, sophos writes to log which accounts have been synced. Obviously, the account in question is not in the list (i.e. Sophos did not write a single line into log about it while syncing).

My question would be - why is that user still in my Sophos and how come Sophos boldly shows that it is still member of said group? See attached image.

Manual sync has been triggered like 15times already and automatic runs every day. Also, the user is not a member of the group since months if not years.

Thank you for any hint in advance, take care.



This thread was automatically locked due to age.
Parents Reply
  • group=""

    That means he's not identified as a member of a Backend Group defined by an AD Security Group, so there's some other reason he qualified for that filteraction.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • I thought, for qualifying for filteraction, one first has to quality for web filter profile (with the network where that request is coming from) , then qualify for filter policy (in my case, that's based on the AD group membership) and then whichever policy has the user qualified for, appropriate filter action is used.

    How can one qualify for filteraction when in the chain of preceding conditions, at least one condition is not met? In other words, how come the chain Profile->Policy->FilterAction is not followed ?

    In my case, the user qualifies for filter profile based on the network he is in. Then, based on policy helpdesk, he qualifies for the policy (although he should not! - he is not the member of the appropriate AD groups) and then, filter action kicks in. Cofusion of the highest order.

    Thanks for hearing me out, take care.

  • Due to spending way more time on this issue than it deserves, I have decided to delete that account from Sophos - the account is not that important anyway. This dialog popped up when deleting the account. If this is not an evidence of Sophos still incorrectly thinking that account in question is member of the GLB_U_S_InternetUsers group, then I don't know what is.

    Let's see if deletion of the user object in Sophos (not in AD!) worked out.

  • ... after deleting the user from sophos and running AD sync several times, the user has not been recreated and is now denied internet access.

    That'll do for me.

    Have a beautiful day, all of you.