Sophos/Utimaco Safeguard Enterprise Auto-Sync Script

Those of you who have used Safeguard will know that for reasons known only to the Germans, Utimaco decided not to provide any way to automatically sync Safeguard with your AD domain(s) without resorting to a rather buggy API. They provide some example code for VBScript and Sophos are rumoured to be adding an automatic sync function in 5.60, but if you’d rather do it in Powershell and have some decent error handling and reporting then look no further.

As per usual with these things, this needs to be run on a machine that has Safeguard Server installed; set your DSN, Log path & sync options at the top of the script and then add your email details below if you want email alerting (It’ll only alert on failures, but the local logs will be created regardless). For those of you who may have used my previous sync script(s), the key change in this one is the use of the previously unknown (to me) CanSynchronizeDirectory() function to check that nobody else is currently syncing the database before attempting it.

#Safeguard Directory Synchronisation Tool
#Adam Beardwood 04/02/2010
#v1.0 - Initial Release
#v2.0 - Cleanup re-write with better error and email handling
#Load Safeguard .NET Assembly for use
#---Declare Variables---
#DateTime Stamp
$DTS = date -format yyyy-MM-dd--hh-mm
#Root DSN to bind connection to
$dsn = "DC=somedomain,DC=co,DC=uk"
#Location for Log File
$logFileName = "C:\Logs\SGSync."+$DTS+".log"
#Sync Group Membership [0|1]
$membership = 1
#Sync Account State [0|1]
$accountState = 1
#Relocate Move Objects if they have been relocated to another sync'd OU [0|1]
$takeCareOfMovedObjects = 1
#Reference Vars for Functions
[ref] $CanSync = $null
#---End Variables---
#---Define Functions---
#Function to send email alert
Function SendEmail ($Errs){
#-- Set variables for email notification --
$smtpServer = ""
$mailto = "<>"
$mailfrom = "SGE AD Sync<>"
$mailsubject = "SGE Sync Process"
The Safeguard Enterprise Automated Sync process ran. The following errors occurred:
$(foreach($item in $Errs){$item;"`r"})
$att = $logFileName
Send-MailMessage -To $mailto -From $mailfrom -Subject $mailsubject -Body $bodytext -Smtpserver $smtpserver -Attachments $att
write-host "Email sent, also," $Errs
#Function to actually sync Safeguard
Function SGSync ($OU){
$adsStartContainer = $OU+","+$dsn
write-host "Syncing:" $adsStartContainer
[ref] $Outcome = $Directory.SynchronizeDirectory($dsn, $adsStartContainer, 1, $logFileName, $membership, $accountState, $takeCareOfMovedObjects)
$Result = $Scripting.GetLastError($Outcome)
write-host "GetLastError returns:" $Result
#---End Functions---
#Create scripting objects, authenticate to directory and then initialise the sync process
write-host "Synchronization of Users & Computers ... Started"
try{$Scripting = new-object Utimaco.SafeGuard.AdministrationConsole.Scripting.Base}
catch{write-host "An Error Occurred While Attempting To Load Safeguard Directory Synchronisation Libraries. Quitting...";exit 0}
catch{write-host "Error: This machine doesn't appear to have the Safeguard Server component installed, so it can't authenticate in this way. Quitting...";exit 1}
$Directory = $Scripting.CreateDirectoryClassInstance()
#Check if we can sync
if($($CanSync.Value) -eq 1){
	#---Sync the following OUs---
	write-host "Unable to Sync - Another syncronisation is already in progress"
#Free up resources
#Get errors from the generated log file
$Errs = select-string -pattern "Failure" -path $logFileName
#Send email alert
if($Errs -ne $null){SendEmail $Errs}
write-host "Synchronization of Users & Computers...End"

11 Replies to “Sophos/Utimaco Safeguard Enterprise Auto-Sync Script”

  1. When you specify an OU to Sync will the code recursively synch all sub-OU of the specieid OU?

    for example OU “Some OU” has 10 sub-OU beneath it. Can I just use:


    OR must I list each sub-OU individually:



    1. Yes, it’s actually something I totally forgot to account for because I never needed to sync just a single level OU, but you can change the behaviour in this line:

      $Directory.SynchronizeDirectory($dsn, $adsStartContainer, 1, $logFileName, $membership, $accountState, $takeCareOfMovedObjects)

      That lone “1” amongst all the variables controls whether it syncs sub-OUs or not. 1 means sync all sub-OUs and 0 will just sync the specified OU.

  2. Thanks for the script. Unfortunately I can’t get it to work.

    First I always get the message “Unable to Sync – Another syncronisation is already in progress” even if there is no one else connected to the server and no syncronisation is in progess.

    If I disable this check I get this message for every OU I’m trying to synchronise: “GetLastError returns: 22”

    The SafeGuard Management Center is installed with the version on this server.

    I would appreciate it if you could help.


    1. Does the sync via the Management Console work? If not then there’s a DB flag somewhere that I forget which needs to be flipped so that it doesn’t think it’s syncing.

      Otherwise, I’ve only tested the script up to 5.50.1 so there might be some change in 5.60 that breaks things.

      Edit: Looking at the 5.60 API docs it doesn’t look like they’ve changed anything major, although they do appear to have added the “Directory::ResetSynchronizationLock()” function to fix the above issue with a DB that thinks it’s being sync’d when it isn’t.

  3. Thank you for this post, I was beating my head against the wall before I found your post.

    I was working in C# so your post made it easier for me to convert Sopho’s VBScripts to the .Net Framework.

  4. Hey Admin,
    What other scripts do you have for safeguard??

    I am new to PowerShell but aggressively trying to figure it out. I currently am working on trying to use powershell cleanup active directory and safeguard.

    1. The only major things I wrote were this and the mass user addition/removal script here:

      I did write a couple of little things for grabbing stats from the database and for checking for various versions of things with the management tools, but nothing too fancy.

      If you haven’t already found them, the management API docs are here: though they’re not exactly amazingly helpful.

  5. Hey I am so glad I found your web site, I really found
    you by error, while I was looking on Yahoo for something else, Anyhow
    I am here now and would just like to say cheers for a marvelous
    post and a all round exciting blog (I also love the theme/design), I don’t have time to look over it all at the moment but I have saved it
    and also added in your RSS feeds, so when I have time I
    will be back to read a lot more, Please do keep up the awesome

  6. Does this still work with Version 8?
    I need this script so we don’t have to give helpdesk access to the server just to sync safeguard with AD after they make a change in AD.

    1. Not sure, I’ve not been in an environment with Safeguard since v6 so you’d have to check the API docs and see if they’ve made any major breaking changes. At the very least I’d expect the core of the code to still be the same.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Secured By miniOrange