Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 5095 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosUpdateMgr account in AD gone

Jun

Hi,

Our client have failed error on updating status and notice that SophosUpdateMgr account is no longer in our AD? Nobody remove that user account in AD.

Any idea what might have cause it? We uninstalled Sophos Update Manager in one of our dc server and could not reinstalled it again due to user authentication, you think this might have cause the error?

Thanks for those who could give some inputs.

:14397


This thread was automatically locked due to age.
  • 0

    Hello Jun,

    was the SUM you tried to reinstall a child SUM? If so - is your management server on another DC? Do all your clients have this problem? You'll probably have to re-add the account. Please take a look at Sophos Update Manager -- Error 25075: Cannot add user SophosUpdateMgr on server * The installer has found an existing account for Sophos Update Manager ... and How to change the password for Sophos Update Manager (SUM).

    If none of these help please describe your setup in detail and also post the specific error your encounter during reinstall.

    Christian

    :14399
  • 0

    re-create the account in our AD and all seems to be ok now. What really puzzles me is what triggered the removal of the account? Really weird.

    :14403
  • 0

    I reckon the answer to your first question ("Did removing Sophos Update Manager from a different server have anything to do with it?")  is yes!

    Have just run into the same problem. Had Enterprise Console on an old 2000 server. Needed to relocate it to a new server. Didn't bother with a migration as I'm only protecting 60 clients. I'd simply reprotect the clients from the new installation.

    First uninstalled all sophos components from the old server but ran into difficulties with the removal of Sophos AutoUpdate. It refused to uninstall. Decided to proceed with installation of SEC on the new server and all went well with all clients updating from the new installation. Then foolishly returned to the old server to see if I could clean it up! Yes, with a little help from Sophos support, I managed to uninstall Sophos AutoUpdate from the old server only to find that this process removed various Sophos groups and users from my active directory. Thus on the new server, Enterprise Console wouldn't open and all clients failed to update due to the loss of the SophosUpdateMgr account in AD.

    Managed to get going again by creating a Sophos Full Administrators group and making me a member. This gave me access to Enterprise Console again. Then created a new SophosUpdateMgr account in AD. Then updated all my clients. Success!

    Does anyone know what other Sophos group or user accounts may have been stripped out by the removal of Sophos AutoUpdate from the old server?

    :19149
  • 0

    HI,

    It wouldn't have been AutoUpdate (SAU) that removed the accounts you mention.  SAU only creates and removes the account: 

    SophosSAU[machineName]0

    This is typically a local account, unless SAU is installed on a DC of course.  

    Having said that....I belive on removal of SAU that the installer will look in:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\AutoUpdate\Service \

    "Download User"

    To know what account to remove, this should typically be the account I mention above but I guess you might have put in another account into this registry key?

    Otherwise it must have been other components that removed the groups, i.e. SEC, SUM.

    Regards,

    Jak

    :19155
  • 0

    Hi Jak. Thanks for reply.

    The old server was indeed a dc. I reckon the mistake I made was to proceed with the new installation before I had completely removed every component from the old server.

    I'd still like to know what Sophos-linked users/groups I should have in my AD just in case I'm still missing some vital bits!

    :19177
  • 0

    Hi,

    Off the top of my head...

    SEC

    Security Groups

    Sophos Console Administrators - Users who have access to the management service over DCOM.

    Sophos Console Service Users - New in SEC 5, finer grained access to the management service by the looks of it.

    Sophos DB Admins - This group is mapped to the SQL login, which in effect, through indirection of SQL users and roles gives users access to the stored procedures of the SOPHOS database.

    Sophos Full Administrators - As of SEC 4 for RBA.

    Sophos DB Users - no longer used, was used for reporting purposes.


    User accounts

    SophosUpdateMgr - This is the default account used by the clients to update from the SophosUpdate share.  Custom install allows you to specify this so this may or may not exist,


    You may also have a service account the Management Service uses to connect to the database, You would have this in a distributed install where the DB is on a different machine.  This account would then need to be a member of the"Sophos DB Admins" group.

    Endpoint

    Security Groups

    SophosAdministrator - All members of local administrators group are added to this at install.

    SophosPowerUser - All members of local power users group are added to this at install.

    SophosUser - All members of local users group are added to this at install.

    All the above relate to the ability a user has to launch the SAV GUI and perform operations as specified in the Qurantine user rights.

    SophosOnAccess - used by the driver, no need to worry about this one.

    User accounts

    SophosSAU[machinenameorpartof][num] - used by SAU.

    I think that's it.  Obviously if installing on a domain they would be domain local groups and domain users otherwise local groups and local users where automatically created.

    Regards,

    Jak

    :19183
  • 0

    The following groups are in AD: SophosDomainAdministrator, SophosDomainPowerUser and SophosDomainUser. Can't say if they are populated, I have Domain Admins in the SophosDomainAdministrator but the might have been added manually. These groups become members of the corresponding local groups when Sophos is installed on an endpoint. From the object properties the date back to pre-SEC4.0. Guess they are not vital.

    Christian

    :19189
  • 0

    Hi, thanks for responses

    This is what I had left in my AD:

    Sophos DB Users

    SophosOnAccess

    SophosPowerUser

    SophosUser

    I've had to recreate Sophos Full Administrators in order to regain access to Enterprise Console

    I've recreated SophosUpdateMgr so that my clients can communicate/update from the console

    All appears to be working at the moment but what about Sophos DB Admins and Sophos Console Administrators? They aren't  there. Can they be simply manually recreated and, if so, what are the details I need to know?

    Any help appreciated

    :19221
  • 0

    Hi,

    It's mainly used when you have a remote database, i.e. a distributed install. If the management service and database are on the same machine; as the management service runs as "local system" and doesn't impersonate a database account, it's not realy required as the management service, running as system has full access to the database anyway.

    I would suggest, to re-create the group.  "Sophos DB Admins" (Domain local on if you're on a DC), that way when you do an upgrade in the future, you should be ok, as from SEC 5, the management service will always imperonate an account to gain access to the database, so the account (you will be forced to choose) would then need to be a member of the "Sophos DB Admins" group, unless of course the account it impersonates is a sys admin on the DB anyway.

    Jak

    :19225
  • 0

    Many thanks, Jak.

    Will follow your advice.

    :19233