password change for account used to sync to AD

Hi,

To actually sync with AD, no user specified account is used.  The management service running as local system queries the directory as the computer account.

An account is only stored if you setup auto-deploy on the sync point.  So if you have specified an auto-deploy account and password in the properties of a sync-point, the account name is referenced in the database, in the SyncPointData table as the UserName column.  The password for this account is stored securely in the registry under the key.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\EE\Management Tools\

as syncdata I think it is.

So if you change the password for the account used for auto-deploy you would have to open the properties of all sync points using the account and retype the password.  If you have many syncpoints, some of which have auto-deploy and others using a different account you could get a list of SEC groups using the account with the SQL query:

SELECT s.ADContainer, s.UserName, g.PathAndName FROM SyncPointData as s

inner join GroupPathAndNameTable() as g on g.GroupID = s.GroupID
where s.UserName like '%Administrator%'

Note: Update the Administrator in the SQL if required.

As a single command to run:

sqlcmd -E -S (local)\sophos -d sophos51 -Q "SELECT s.ADContainer, s.UserName, g.PathAndName FROM SyncPointData as s inner join GroupPathAndNameTable() as g on g.GroupID = s.GroupID where s.UserName like '%Administrator%'" -o C:\sync.txt

This will create the output file: C:\sync.txt.

It assumes you are using SEC 5,1, hence the SOPHOS51 database, for other database names see: http://www.sophos.com/en-us/support/knowledgebase/17323.aspx.

It also assumes you are using a default SOPHOS named instance and it is local to the computer running the above command.

Regards,

Jak

Hi,

To actually sync with AD, no user specified account is used.  The management service running as local system queries the directory as the computer account.

An account is only stored if you setup auto-deploy on the sync point.  So if you have specified an auto-deploy account and password in the properties of a sync-point, the account name is referenced in the database, in the SyncPointData table as the UserName column.  The password for this account is stored securely in the registry under the key.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\EE\Management Tools\

as syncdata I think it is.

So if you change the password for the account used for auto-deploy you would have to open the properties of all sync points using the account and retype the password.  If you have many syncpoints, some of which have auto-deploy and others using a different account you could get a list of SEC groups using the account with the SQL query:

SELECT s.ADContainer, s.UserName, g.PathAndName FROM SyncPointData as s

inner join GroupPathAndNameTable() as g on g.GroupID = s.GroupID
where s.UserName like '%Administrator%'

Note: Update the Administrator in the SQL if required.

As a single command to run:

sqlcmd -E -S (local)\sophos -d sophos51 -Q "SELECT s.ADContainer, s.UserName, g.PathAndName FROM SyncPointData as s inner join GroupPathAndNameTable() as g on g.GroupID = s.GroupID where s.UserName like '%Administrator%'" -o C:\sync.txt

This will create the output file: C:\sync.txt.

It assumes you are using SEC 5,1, hence the SOPHOS51 database, for other database names see: http://www.sophos.com/en-us/support/knowledgebase/17323.aspx.

It also assumes you are using a default SOPHOS named instance and it is local to the computer running the above command.

Regards,

Jak