During the installation of Enterprise Console you are required to enter a username and password for two Windows accounts. These accounts are not automatically created by the installer and therefore must be manually created by you (or your network administrator). Once created you can then enter the username and associated password for both accounts into the Enterprise Console installer.
This article contains information regarding these Windows user accounts, why they are required, how to create them and also how they are used.
Note: If you are installing just the 'Management Console' component to a computer, i.e. a remote Enterprise Console, the account requested during the installation should be the same as the account the 'Sophos Management Host' service is running as on the Sophos management server. This is referenced as 'SophosManagement' in this article.
Applies to the following Sophos product(s) and version(s) Enterprise Console 5.2.2Enterprise Console 5.3.0Enterprise Console 5.3.1Enterprise Console 5.4.0
Your Sophos management server requires two accounts to be used. One account is used to run a number of services and provide access to the database and the other is used to enable the clients to update from the 'SophosUpdate' share on the server.
Note: We will refer to the 'Sophos Update Manager' component as 'SUM' from now on. SUM is a component of your Sophos management server that downloads software and Anti-Virus protection updates from our servers.
We recommend you create two accounts, one for each role. We also recommend that you name the new accounts as follows:
If your management server is in a domain environment, we recommend these are domain accounts. If your management server is part of a workgroup, these should be local accounts on the management server.
Note: Prior to Enterprise Console 5.x, the database account was not required when all components (e.g., console, database, SUM) were installed on the same server. If you are upgrading to Enterprise Console 5.x from a previous version we recommend you create a new database account for this purpose.
Follow steps one and two below. They will first enable you to determine if you need to create domain or local accounts and then explain how to create the accounts correctly.
If required, more (advanced) information about the accounts and their purpose can be found in the Technical Information section at the bottom of this article.
If the computer is a member of a domain, it is recommended you create domain accounts (i.e., create the accounts on the computer that is your domain controller), however you could create the accounts on the local server that is not your domain controller - but we do not recommend this.
If it is a member of workgroup, you should create local accounts.
Depending on your environment (as established in step 1 above) following the appropriate section below.
You have now created the two accounts required by the Sophos Enterprise Console installer.
When prompted during the installation of Enterprise Console enter the accounts created in this article.
The additional detailed information below is provided for the advanced user who would like to know how the accounts are used.
The 'database' account is used by the Sophos Management Service (the process name is 'mgntsvc.exe') to connect to the database. During installation the account is written to the key shown below for the Sophos Management Service to use when connecting to the database.
The following Sophos services (if they exist) are also set to log on as this account:
Enterprise Console also uses the ‘database’ user to enable it to communicate with the Sophos Management Host service, which implements the web services on the management server. It is for this reason that when installing a remote console, the ‘database’ account is requested.
The account the Sophos Management Host service runs as should be the same user. It is therefore recommended that the account is a domain account when installing in a domain environment.
The account must fulfill the following requirements:
It is strongly suggested that:
The SUM account is used in the default updating policies within Enterprise Console. It enables the clients to gain access to the distribution locations to perform updates.
The account is required to provide clients read access to the distribution location share, by default: \\[servername]\SophosUpdate\.
It is strongly suggested that the account:
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.