This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.5.1 launch error : The user "domain\account" is not assigned to any subestates.

Hello, 

When I try to launch the SEC I get the "subestates" error message.

My domain account is a member of the Sophos Full Administrators local group.

I have looked around the dbo.UserSubEstates, dbo.Users, dbo.SubEstates......and it should all be good. 

It seems that no matter what i change /modify ....the error message wont go away. ( i have created a "test" subestate in the database...mapped my account to it....still same error).

 

Does anyone have an idea on what the next step would be ? I need to get this fixed and launch this console.

 

Thank you.

 

 



This thread was automatically locked due to age.
Parents
  • Hello Mihai,

    The simplest possible reason behind this transient error is often communication issues between SEC and the AD server. If you can check for any potential issues faced by SEC while communicating with the AD, this might help resolve this once and for all.

    Thanks,

    Vikas

  • Hello Mihai and Vikas,

    as far as I understand it the issue is 1. not transient but permanent and 2. was observed on two different servers.

    I assume that the error is logged in the DirectoryService.log (%ProgramData%\Sophos\ManagementServer\log\) but can't say if it contains any additional useful information. Hm ... you have perhaps some other user that can log in to the server, if not create one and make it a member of the Sophos Full Administrators group. Wonder if you get the same error. Or did you already try with another user?

    Christian 

Reply
  • Hello Mihai and Vikas,

    as far as I understand it the issue is 1. not transient but permanent and 2. was observed on two different servers.

    I assume that the error is logged in the DirectoryService.log (%ProgramData%\Sophos\ManagementServer\log\) but can't say if it contains any additional useful information. Hm ... you have perhaps some other user that can log in to the server, if not create one and make it a member of the Sophos Full Administrators group. Wonder if you get the same error. Or did you already try with another user?

    Christian 

Children
  • Hello, 

     

    the logs in the %ProgramData%\Sophos\ManagementServer\log\ do not seem to contain any info related to our issue.

     

    Performing a test with a newly created local user ( not domain) that i then added to the local admin group and Sophos Full Administrators grup on the server i have exeperienced a different error message:

     

    " in order to be able to execute the SEC you must be a member of the Sophos Console Administrators group and have a DCOM access on the "servername" "

     

    Making the account a member of the Console Admins doesn't change the error :)

     

     

    Thanks, 

     

    Mihai

     

  • Hello Mihai,

    you must be a member of the Sophos Console Administrators group
    sorry, forgot to mention the SCA group. DCOM membership should only be necessary for a Remote Console. Excuse me for mentioning the obvious: A logoff/logon is required after changing group membership. 
    Anyway, the newly created user should either be able to open the console or encounter the no subestate error.

    Christian

  • Hello, 

     

     

    Last test shows that using the newly created local test user ...the console opens OK.

    On the other hand I still have the same subestate errors for all the existing domain accounts  although the group membership on the Sophos machine is identical between the local and domain accounts ( moreover the domain accounts should have even more permissions as they are members of several domain and exchange admin groups) 

     

    One thing that maybe it's important to mention is that some time ago the domain controllers of our domain have been replaced..so I dont know if that could impact the authentication of domain accounts on the Sophos machine ( i mean if anywhere in the registry for example there might be the name of an old DC that is no longer available referenced)

     

    Bottom line is that we need to use the domain accounts and given that the permission look the same between those and the local test account that works....I don't know where to go next from here.

     

     

    Thank you, 

    Mihai

  • Hello Mihai,

    so Vikas was more or less correct.

    SEC shouldn't be aware of AD specifics like DCs. It uses Windows APIs and names (not SIDs) whenever possible. It seems to be some issue with the Sophos Full Administrators security group. You can log on with the domain account, you are also able to start the Console - i.e. you get as far as the no sub-estates that suggests that membership for the Sophos Console Administrators group is correctly seen. You can test this assumption by removing a domain account from this group (watch for inheritance) - you should then get the must be a member error.
    Does net localgroup "sophos full administrators" output the expected members?

    Christian

  • HEllo, 

     

     

    Removing the domain account from the Sophos Console Administrators does indeed produce the "must be a member of " error ...instead of the sub-estates one.

     

    The net localgroup on the Sophos Full Administrators provides the correct output with the domain accounts and the test local one as members of this group.

     

     

    Mihai

  • Additionally , taking the test local account from the Sophos Full Administartors group and leaving him a member only of the Sophos Console Admins group yields the same "sub-estate" error like for the domain account.

     

    So it looks like it is a problem with the membership of domain accounts in the local Sophos Full Admins group. I should add that in the past i have removed and replaced the domain accounts in the group, deleted the group altogether and recreated it , deleted the group/uninstalled sophos/reinstalled sophos /verifyied the group is there with correct membership.....but in then end only to get the same sub-estates error.

     

     

    Mihai 

  • Hello Mihai,

    strange. Can't say what particular API SEC uses but it shouldn't make a difference in this simple scenario (your domain accounts are direct members as is your local test account that encounters the same error).

    An inconsistency in the database would also be strange given that two independent (if I understand correctly) installs show the same behaviour. After SEC install the Users table should have a row with ID=1, Name=Sophos Full Administrators, in UserSubEstates there should be a row UserID=1, SubEstateID=1, and the same in UserRoles. And of course there must be a (the default) subestate with ID=1 in SubEstates.

    Christian

  • Hello Mihai,

    forget my previous post ... you said it works with the local account. What was I thinking ....???

    I have no idea why it should affect just this particular group. Perhaps has some idea and can suggest a further course of action.

    Christian

  • Hello, 

     

     

    The entries in the dbo's are inline with what you have stated with the addition in the dbo.users of a second line for my domain account, in the dbo.subestates of an additional sub-estate named "test" and with the creation of a second row in dbo.userestates with "2 2" in order to assign my account to this additional subestate that I have created.

    what is also straneg is that if i manually remove the my domain account form the Sophos Full Administartors ...at the next logon he is automatically added back ....I have looked at RSOP on the machine and cant find any GPO setting with that effect.

     

    Could that be a result of the entries that exists in the Sophos databases? ANd could that also play a role in this strange behavior?

     

    Mihai

  • Yeah...really strange behavior. Tried with a new domain account that I added to the correct groups on the Sophos server only to get again the sub-estates error.

     

    It's like the Sophos Full Admins local group doesn't take into account any domain identities. 

     

    More interesting, opening the console with the local account we can see the subestates ( the default one assigned to the Sophos Full Admins group and the test one assigned to my domain account) ...but that doesnt really change the error we are getting for the domain accounts.

     

     

    Thanks, 

     

    Mihai