This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Customizing the SophosUser, SophosPowerUser, and SophosAdmin groups during a SAV agent install

Looking for information on how to control/initiate the Sophos group setup during the installation of the agent on a workstation both in a domain or as a standalone (no domain) system. Here are the questions enquiring minds would love to know:

1. For a workstation not in a Domain, is there a way to customize which users/groups get added to SophosUser, SophosPowerUser, and SophosAdmin you install the SAV agent?

2. Is there also a way to do the same thing if you were part of a domain (reference domain global group accounts instead of defaulting to creating local groups)?

3. Can you change from a local group model to AD domain model? If so, how?

I realize I could run the "net user" commands or write a .VBS file to accomplish the local group customizations, but I am hoping there is something thats part of the Sophos product install to accommodate this directly. Any information on automating these changes is appreciated.

This thread was automatically locked due to age.

0 jak over 14 years ago

HI,

At the point of install, the SAV installer essentially just adds members of the local groups:

Users, Power Users and Administrators to the Sophos groups:

SophosUsers

SophosPowerUser

SophosAdministrator

This is a one time event at install and not something that is kept in sync after, such that adding new local accounts to the machine requires them to be added to the Sophos groups manually if these are to be Sophos users.

There are however 3 other groups that the installer is aware of:

SophosDomainAdministrators

SophosDomainPowerUser

SophosDomainUser

These domain groups only seem to be created when installing standalone SAV on a domain controller for some reason, the good news is that they can be created manually. In doing so these domain groups are added to the Sophos local groups on the machine, so by adding domain users to these different domain groups you are giving them the desired access to Sophos.

Hope this helps.

Thanks,

Jak

:5389
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 14 years ago

Just an addition:

At the point of install, the SAV installer essentially just adds members of the local groups

The members can be groups, e.g. as usually the domain\Domain Users group is a member of the local Users group it is added to the SophosUser group.

These domain groups only seem to be created when installing standalone SAV on a domain controller for some reason

I haven't found an article on this (Understanding Windows and Sophos Groups should be amended to contain a reference to them). Can't say when they are created (as you say seem, Jak, I guess you also don't know for sure) - but if they are present they are added to the workstation's respective Sophosxxxxxxx local groups.

May I ask why you want to configure these groups, ThomK?

Christian
:5392
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 14 years ago

Hi QC,

I found them one day on a DC and realised it must have been due to the fact I installed using the standalone installer.

I tested this further and found that they are only ever created if the SAV package is installed as a domain administrator, of course this only happens if you use the standalone installer as SAV is installed before AutoUpdate as the installing user. From a CID install, i.e. setup.exe, SAV is installed by AutoUpdate as the system account and thus they are never created.

Thanks,

Jak

:5404
Cancel
Vote Up 0 Vote Down

Cancel