Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 3078 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User Control

MWebb

I am evaluating Sophos Endpoint for our communty hospital.
We have a Win2003 domain.

I have noticed that the workstations that have the Sophos client installed seem to be able to open up the client and make some choices that I would like to limit. For example authorizing a file.

As a system admin how can I limit user choices on the workstations?

:1665


This thread was automatically locked due to age.
Parents
  • 0

    To dig a little bit deeper:

    Only members of the local groups Administrator, Power Users and Users and not the groups themselves are added to the SophosXxxxx group during the initial install. So adding an administrator user or adding an existing user to the Administrators group later does not give him or her SophosAdministrator rights. The SophosUser group has builtin groups (Authenticated Users and INTERACTIVE) as members and is therefore "dynamic". Read also Sophos Anti-Virus for Windows 2000+: significant files and registry entries the box for SavMain.exe.

    In an AD environment the Sophos domain global security groups (SophosDomainXxxxx) are added to the corresponding local Sophos groups and of course whoever is already in the standard groups (e.g. Domain Users in local Users). Once an account (group or user) has been added to one of the local Sophos groups it's not easy to remove it centrally.

    Finally - I assume your users are members (perhaps due to AD group memberships) the local Power Users group and have therefore - as they have been added to SophosPowerUser - access to the authorization manager. Otherwise (i.e. if they have admin rights) they could re-add themselves to the SophosAdministrator group.

    Christian

    :1687
Reply
  • 0

    To dig a little bit deeper:

    Only members of the local groups Administrator, Power Users and Users and not the groups themselves are added to the SophosXxxxx group during the initial install. So adding an administrator user or adding an existing user to the Administrators group later does not give him or her SophosAdministrator rights. The SophosUser group has builtin groups (Authenticated Users and INTERACTIVE) as members and is therefore "dynamic". Read also Sophos Anti-Virus for Windows 2000+: significant files and registry entries the box for SavMain.exe.

    In an AD environment the Sophos domain global security groups (SophosDomainXxxxx) are added to the corresponding local Sophos groups and of course whoever is already in the standard groups (e.g. Domain Users in local Users). Once an account (group or user) has been added to one of the local Sophos groups it's not easy to remove it centrally.

    Finally - I assume your users are members (perhaps due to AD group memberships) the local Power Users group and have therefore - as they have been added to SophosPowerUser - access to the authorization manager. Otherwise (i.e. if they have admin rights) they could re-add themselves to the SophosAdministrator group.

    Christian

    :1687
Children
No Data
Unfiltered HTML