Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 1 subscriber
  • Views 4834 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Role Base Administration

tedz

Hi,

I have a Central SEC with a domain Controller. I install a remote console with a same domain in other server. I configure remote console into a role or sub-estate, the user that i used member of:

 the Sophos Console Administrators group

the Distributed COM Users group

Be assigned to at least one Enterprise Console role.

Be assigned to at least one Enterprise Console sub-estate.

the Sophos DB Admins

when i run a remote Management Console into sub-estate that i configure on the Central SEC they will failed.

Link below is the sreenshot of remote console.

http://www.ge.tt/#!/2M460eJ/v/0

Can anyone help?

Thanks,

Teddy

:26281


This thread was automatically locked due to age.
  • 0

    Hello Teddy,

    is you select this user in the User and Group View of Manage roles and sub-estates does it show at least one role and sub-estate (could you perhaps provide a screenshot)?

    Christian

    :26283
  • 0

    Hi Christian,

    Thanks for your reply. Yes I selected the user  as you see the screenshot on the link below.

    http://www.ge.tt/#!/1DPSChJ/v/0

    Thanks,

    Teddy

    :26307
  • 0

    Hello Teddy,

    did I understand you correctly that your management server is a DC? And SERVERAV is the server you are running the remote console on and Sophos2 is a local user there or is it the domain? Where did you take the screenshot - the management server or the remote console? 

    I'm asking because what you showed looks basically ok. The message means you get as far as successfully connecting the console (so group membership and all that must be correct).  Right now I have no idea why it could fail. Oh, BTW, if you try to run the remote console as Sophos Full Administrator - does it work? Apart from this there's a post on diagnosing RBA (role based administration).

    Christian

    :26331
  • 0

    Hi Christian,

    Yes my managemnet server is a DC which is a SERVERAV. I make a local user on DC which is SOPHOS2.

    Where did you take the screenshot - the management server or the remote console?  I take the screenshot on the management server not on the remote console.

    if you try to run the remote console as Sophos Full Administrator - does it work? Yes it will work but  no roles will display.

    Thanks,

    Tedz

    :26353
  • 0

    Hello Teddy,

    I'm not sure I understand you correctly. There are no local users on a Domain Controller (AFAIK - if I'm wrong, how do you go about adding it?). 

    no roles will display

    This too I don't understand - could you please post a screenshot where'd you expect to see them? I might be thinking on the wrong track though - so please excuse if I'm missing the obvious.

    In general you should use domain accounts - less of a headache this way.

    Christian

    :26369
  • 0

    Hi Christian,

    the screenshot link below . Sorry for my wrong post that the Sophos2 user is not a local account it is domain controller account.

    http://www.ge.tt/#!/6g62hnJ/v/0

    Thanks,

    Tedz

    :26421
  • 0

    Hello Teddy,

    thanks - still looks ok. Could you please also show the remote console when you open it using the Full Administrator Account?

    Christian

    :26429
  • 0

    Hi,

    One option would be to enable trace logging in the Sophos Management service with repect to RBA. To do so:

    1. Close all Enterprise Consoles that are open.

    2. Stop the "Sophos Management Service" service.

    3. Add the following registry keys to the management server:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Trace\{48502EEA-4629-4dd6-9D67-CBB1A80C29A4}]
    @="TraceRBA"
    "ErrorLevel"=dword:00000003

    Please adjust accordingly for a 64-bit OS.

    4. Start the "Sophos Management Service"

    5. Download and start DebugView (on the management service machine), available from: http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx
    Remember to "run as administrator" as required.
    Under the "Capture" menu choose: "Capture Global Win32" and "Capture Win32" if they exist

    6. Launch Enterprise Console as the user, for who it fails when setup as you would expect it to work

    DebugView should populate with verbose logging of the significant components which can be saved as a log file and should help to determine the problem. Maybe paste, or link to the log here.

    If that doesn't help, we might need trace logging from the "Console" component as well. So in the case of a remote cosole, the same steps as above but the key would be:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\TraceOFF\{9D624120-2E7B-47a2-BD4D-BDEB7E5388D3}]
    @="TraceConsole"
    "ErrorLevel"=dword:00000003

    I hope it helps gets some logs that are useful.

    Regards,
    Jak

    :26431
  • 0

    Hi Christian,

    Link below the screenshot of the remote server with the sophos full administrator  as u see the screenshot of the central server.

    http://www.ge.tt/#!/8J4W5oJ/v/0

    Thanks,

    Tedz

    :26433
  • 0

    This is perhaps the best option (I've suggested it in my second reply but just included the link :smileywink:). 

    I have no idea where it gets confused (BTW: why did you specify the server by IP instead of name when installing the remote console?). Just one more thing - you said Yes it will work [as Full Administrator] but no roles will display - what means no roles will display and can you select (as Full) the sophos sub-estate?

    Christian

    :26439