Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 23 replies
  • Subscribers 3 subscribers
  • Views 8899 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.5.1 launch error : The user "domain\account" is not assigned to any subestates.

Mihai Sandu

Hello, 

When I try to launch the SEC I get the "subestates" error message.

My domain account is a member of the Sophos Full Administrators local group.

I have looked around the dbo.UserSubEstates, dbo.Users, dbo.SubEstates......and it should all be good. 

It seems that no matter what i change /modify ....the error message wont go away. ( i have created a "test" subestate in the database...mapped my account to it....still same error).

 

Does anyone have an idea on what the next step would be ? I need to get this fixed and launch this console.

 

Thank you.

 

 



This thread was automatically locked due to age.
  • 0 in reply to QC

    HEllo, 

     

     

    Removing the domain account from the Sophos Console Administrators does indeed produce the "must be a member of " error ...instead of the sub-estates one.

     

    The net localgroup on the Sophos Full Administrators provides the correct output with the domain accounts and the test local one as members of this group.

     

     

    Mihai

  • 0 in reply to Mihai Sandu

    Additionally , taking the test local account from the Sophos Full Administartors group and leaving him a member only of the Sophos Console Admins group yields the same "sub-estate" error like for the domain account.

     

    So it looks like it is a problem with the membership of domain accounts in the local Sophos Full Admins group. I should add that in the past i have removed and replaced the domain accounts in the group, deleted the group altogether and recreated it , deleted the group/uninstalled sophos/reinstalled sophos /verifyied the group is there with correct membership.....but in then end only to get the same sub-estates error.

     

     

    Mihai 

  • 0 in reply to Mihai Sandu

    Hello Mihai,

    strange. Can't say what particular API SEC uses but it shouldn't make a difference in this simple scenario (your domain accounts are direct members as is your local test account that encounters the same error).

    An inconsistency in the database would also be strange given that two independent (if I understand correctly) installs show the same behaviour. After SEC install the Users table should have a row with ID=1, Name=Sophos Full Administrators, in UserSubEstates there should be a row UserID=1, SubEstateID=1, and the same in UserRoles. And of course there must be a (the default) subestate with ID=1 in SubEstates.

    Christian

  • 0 in reply to Mihai Sandu

    Hello Mihai,

    forget my previous post ... you said it works with the local account. What was I thinking ....???

    I have no idea why it should affect just this particular group. Perhaps has some idea and can suggest a further course of action.

    Christian

  • 0 in reply to QC

    Hello, 

     

     

    The entries in the dbo's are inline with what you have stated with the addition in the dbo.users of a second line for my domain account, in the dbo.subestates of an additional sub-estate named "test" and with the creation of a second row in dbo.userestates with "2 2" in order to assign my account to this additional subestate that I have created.

    what is also straneg is that if i manually remove the my domain account form the Sophos Full Administartors ...at the next logon he is automatically added back ....I have looked at RSOP on the machine and cant find any GPO setting with that effect.

     

    Could that be a result of the entries that exists in the Sophos databases? ANd could that also play a role in this strange behavior?

     

    Mihai

  • 0 in reply to QC

    Yeah...really strange behavior. Tried with a new domain account that I added to the correct groups on the Sophos server only to get again the sub-estates error.

     

    It's like the Sophos Full Admins local group doesn't take into account any domain identities. 

     

    More interesting, opening the console with the local account we can see the subestates ( the default one assigned to the Sophos Full Admins group and the test one assigned to my domain account) ...but that doesnt really change the error we are getting for the domain accounts.

     

     

    Thanks, 

     

    Mihai

  • 0 in reply to Mihai Sandu

    Hello Mihai,

    only Support (perhaps they have to consult Development) can tell whether the Sophos Full Administrators is special in some way. And referring to your previous post - I'm not aware that a Sophos component would "manipulate" Windows groups or users after install.

    Medium-term the puzzle must be solved. The following could be a short-term workaround: Create a local group (perhaps Sophos Accepted Administrators), assign it to the System Administrator role and the Default sub-estate. If the behaviour w.r.t. local vs. domain accounts added to this group is the same the you should contact Support directly.

    Christian

  • 0

    I experienced same behavior when the Netlogon service on the management server wasn't running. When I started the service manually, the problem was solved.

    -Holger

  • 0 in reply to Holger

    Hello, 

     

    I do not have the Netlogon issue on my case...so it must be a different cause. Thanks anyway for the input.

     

    Mihai

  • 0 in reply to QC

    Hello, 

     

     

    Unfortunately the issue is the same with a newly created local group in which I add a local account and the domain account ( after assigning to this group the sysadmin role and the default subestate) . The local account can open the console ...but the domain one has the same sub-estate error.

     

    Thank you for you time and dedication.

     

    MIhai

Unfiltered HTML