Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 4044 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client protection with local Windows Policies Enabled

uiltgilgiluhgjo

Hey

I Configured a Server (Workgroup Enviroment) with sophos Enterprise Console 5 which works on clients with no local windows policies enabled all clients get there updates and sophos works very well.

Now i got another network with the same configuration only now all this clients have Windows security policies enabled.

Now when i try to push sophos to this Client i get the 3051 error which means the Server cannot create the SophosSAU<computername> or the password(policy) account for some reason.

Things i done to solve this problem:\

- Put policies off > Result is that everything works but i want policies enabled so this is not a solution for me.

The fault is that  the clients policy ask for a complex password  like 7 characters and a number for example

which causes Enterprise Console to give the 3051 error

My question is:

- Is there a possibilty to let the server (Enterprise Console) make a  local SophosSAU<computername> account  on the client with a complex password? and how to do that? or a workaround for this?

Greets Ronnie

EDIT:

i found this topic:

http://www.sophos.com/support/knowledgebase/article/48910.html

My question is is this for server side or client side? and anything to configure after?

:22283


This thread was automatically locked due to age.
Parents
  • 0

    Solution:

    Workgroup Configuration with password policy enabled

    First of all i started with a clean Configuration of Windows and Enterprise Console 5 (With 5 you can select a default update account).

    The first thing i did was installing alle pre-reqs and after i started to install Enterprise Console.

    When Enterprise Console asks for making a SQL instance SOPHOS make it and enter your admin account:

    Administrator / Password

    The next tab where u have to fill in something which needs attention is the part Update Manager Account(Default Update account):

    SophosUpdateaccount / Password ( i did make a complex password for example: P@ssw0rd1

    TIP: Remember or write down this password

    After this just install Sophos Enterprise Console like u do normal.

    After installation update the CID and Warehouse with the newest version in :

    C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager

    Update your Update Manager in your Enterprise Console with the latest Binaries. And Select which Subcription will be installed on your Clients (under recommended).

    On your dashboard also make a folder under Unassigned  like Assigned.

    Now search for computers on your network and first let them all stay in Unassigned.

    The only thing u can do now is update your server with Sophos Client if u need to cause this one doesnt have password policy's.

    Next thing i did is check if my SophosUpdateaccount has read rights on 

    C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager

    Second i checked that i have a admin account in computer management on the server  which is also admin on the clients for example:

    clientadmin / password

    This is the account which can install software on the clients when protecting the computers.

    Clients part:

    On the client i made a account which normally Sophosinstalller makes but cause of the the password policy it cannot:

    In computermanagement on the client add the following account:

    SophosSAU<Computername>0

    I did give this one the same complex password as the SophosUpdateaccount ( i did make a complex password )

    Next thing i did is edit regedit before the Sophosinstaller makes the keys:

    I made a sophos.reg file with this settings:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]
    "Download User"="SophosSAU<computername>0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]
    "Download Password"="P@ssw0rd1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]

    ObfuscatedPassword" =dword:0000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]
    "UserPreset"=dword:00000001

    I put them in the registery before pushing the install from the Server with Enterprise Console

    After this u can push a install of Sophos Client to the clients (unassigned) from the Enterprise Console without having problems with password complexity.

    Greets Ronnie!!

    PS.

    Im busy with making this regedit settings and adding accounts go automatically with a script.

    When i found out and tested i will post it here. 

    :22357
Reply
  • 0

    Solution:

    Workgroup Configuration with password policy enabled

    First of all i started with a clean Configuration of Windows and Enterprise Console 5 (With 5 you can select a default update account).

    The first thing i did was installing alle pre-reqs and after i started to install Enterprise Console.

    When Enterprise Console asks for making a SQL instance SOPHOS make it and enter your admin account:

    Administrator / Password

    The next tab where u have to fill in something which needs attention is the part Update Manager Account(Default Update account):

    SophosUpdateaccount / Password ( i did make a complex password for example: P@ssw0rd1

    TIP: Remember or write down this password

    After this just install Sophos Enterprise Console like u do normal.

    After installation update the CID and Warehouse with the newest version in :

    C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager

    Update your Update Manager in your Enterprise Console with the latest Binaries. And Select which Subcription will be installed on your Clients (under recommended).

    On your dashboard also make a folder under Unassigned  like Assigned.

    Now search for computers on your network and first let them all stay in Unassigned.

    The only thing u can do now is update your server with Sophos Client if u need to cause this one doesnt have password policy's.

    Next thing i did is check if my SophosUpdateaccount has read rights on 

    C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager

    Second i checked that i have a admin account in computer management on the server  which is also admin on the clients for example:

    clientadmin / password

    This is the account which can install software on the clients when protecting the computers.

    Clients part:

    On the client i made a account which normally Sophosinstalller makes but cause of the the password policy it cannot:

    In computermanagement on the client add the following account:

    SophosSAU<Computername>0

    I did give this one the same complex password as the SophosUpdateaccount ( i did make a complex password )

    Next thing i did is edit regedit before the Sophosinstaller makes the keys:

    I made a sophos.reg file with this settings:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]
    "Download User"="SophosSAU<computername>0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]
    "Download Password"="P@ssw0rd1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]

    ObfuscatedPassword" =dword:0000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]
    "UserPreset"=dword:00000001

    I put them in the registery before pushing the install from the Server with Enterprise Console

    After this u can push a install of Sophos Client to the clients (unassigned) from the Enterprise Console without having problems with password complexity.

    Greets Ronnie!!

    PS.

    Im busy with making this regedit settings and adding accounts go automatically with a script.

    When i found out and tested i will post it here. 

    :22357
Children
No Data