Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 27924 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD Group Membership

TXGARobert@Home
I have the proxy running with the authentication method set to SSO.  For the most part, everthing works as expected.

I am having issues where I create a "New Group" in the UTM9 box, assign one or more AD users to the group then use this newly created group in my "Filter Assignments".  The users that are assigned to this group are not being assigned to the proper filter profile.  For some it works fine, but not all.

If I add these AD users directly to the FilterAssignment they are being assigned to the correct filter profile.

Also, if I take a AD user account that I am having issues with and use that to test the adirectory authentication server, it is not showing that he belongs to the UTM9 group in question, even though it does show the other two he would be a member of. I can see his name listed clearly in the group as being there.  I have tried deleting the group and recreating it, but the same thing happens.

Any ideas as to what to check next?


This thread was automatically locked due to age.
  • 0
    even if I don't prefetech does it not create a local user everytime someone authenticates against AD?

    Not unless you've configured it to do that, but I recommend that auto user creation be disabled in larger setups like yours.  Even in the smallest ones, I only recommend autocreation for the End User Portal.

    Are the local accounts even needed if they are not used specifically in a HTTP profile or something simular? 

    That's right, the only reason to have local objects for your users is if they need to receive quarantine reports or they use a Remote Access method that requires a cert.  Those objects should be created by doing a prefetch of specific groups from your AD server.

    Cheers - Bob
    PS At present, deleting a user in AD does not result in the synced user being deleted or disabled in V8 or V9.  Disabling a user in AD also does not disable a synced user in V8 or V9.  Someone might want to suggest a feature if there isn't already one proposed.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Well, I have started deleting the student accounts that were created during the prefetch.  At this rate I may have them deleted by Christmas.

    If I select more than 25 users to delete it keeps asking if I want to wait or abort the process.  Selecting more than 25 to delete at once is a lost cause.
  • 0
    Contact your reseller to have them ask Sophos Support to do a mass deletion from the command line.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Sorry to Necro this thread but it came up when I was looking for the same thing. I have definitely seen the resolution below to this issue in other threads.

    Dragging the full CN from the finder to create a backend group does not work (pretty sure this is still a bug 5 years later). Instead you need to use the straight CN for the group, in quotes when you assign targets to the policy.

    For example, I have a global security group nested under other AD OUs, and use the simple CN with quotes "CN=Internet Access Group" - when inserting a group into the filter (create a new group). AD will only let you define a single CN of the same name anyway. Works with the UTM's web filter. But it doesn't create a group in "Users & Groups" as you would expect it to... it simply maps correctly.

    This article is related but overly complicated to my mind: https://community.sophos.com/kb/en-us/120658

    ...although it probably describes the issue in full.

Unfiltered HTML