Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 3078 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User Control

MWebb

I am evaluating Sophos Endpoint for our communty hospital.
We have a Win2003 domain.

I have noticed that the workstations that have the Sophos client installed seem to be able to open up the client and make some choices that I would like to limit. For example authorizing a file.

As a system admin how can I limit user choices on the workstations?

:1665


This thread was automatically locked due to age.
  • 0

    Open the user control panel ( lusrmgr.msc ), go the Group then "SophosAdministrators" ( SophosAdministrators may run Sophos Anti-Virus with complete access ) and make sure that only "NT/SYSTEM" and anyone who _should_ be able to make changes to the local Sophos installation is in this group.

    Other groups with limited access to Sophos are:

    * SophosPowerUser ( SophosPowerUsers may run Sophos Anti-Virus with the access that SophosUsers have, plus greater access to cleanup )

    * SophosUser ( SophosUsers may run Sophos Anti-Virus with limited access to scanning configuration and cleanup )

    All these accounts are created during installation of Sophos.

    :1673
  • 0

    How do I control user access to Sophos workstations by using Active Directory?

    :1676
  • 0

    During the initial Sophos install on machines the SophosAdministrator group gets automatically filled up with all currently existant Administrator accounts on that local machine. In other words everybody who has admin rights on a local machine will end up being able to control Sophos. Who has Admin rights is something you already control in AD.

    :1677
  • 0

    To dig a little bit deeper:

    Only members of the local groups Administrator, Power Users and Users and not the groups themselves are added to the SophosXxxxx group during the initial install. So adding an administrator user or adding an existing user to the Administrators group later does not give him or her SophosAdministrator rights. The SophosUser group has builtin groups (Authenticated Users and INTERACTIVE) as members and is therefore "dynamic". Read also Sophos Anti-Virus for Windows 2000+: significant files and registry entries the box for SavMain.exe.

    In an AD environment the Sophos domain global security groups (SophosDomainXxxxx) are added to the corresponding local Sophos groups and of course whoever is already in the standard groups (e.g. Domain Users in local Users). Once an account (group or user) has been added to one of the local Sophos groups it's not easy to remove it centrally.

    Finally - I assume your users are members (perhaps due to AD group memberships) the local Power Users group and have therefore - as they have been added to SophosPowerUser - access to the authorization manager. Otherwise (i.e. if they have admin rights) they could re-add themselves to the SophosAdministrator group.

    Christian

    :1687
  • 0

    Thanks for clarifiying :thumbsup:

    :1691
Unfiltered HTML