This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Management Host Service automatically changes Password

Hello,

We are having problems with the "Sophos Management Host"  service.

I have searched everywere and am not able to find a solution.

Whenever we reboot the server, somehow, the password for the service changes. Meaning we have to manually edit the password to the user accounts password in the service.

The other services, using the exact same account work without any problems (sophos patch services).

Anyone has any idea what could automatically change the password for this service?

- Password never expires

- User cannot change password

Best Regards,

Martijn

:36057


This thread was automatically locked due to age.
  • Hi,

    Sounds odd, just to check, are you saying that your correct the password for the account in "Services.msc", the service starts ok.  Your computer is then restarted and the service fails to start.  If you go back in to  "Services.msc", the service fails to start with a logon failure?

    In the event log, is there any evidence that MSI has run at shutdown/startup, I wonder if the install is being "repaired" and for whatever reason, the password is being changed at that point?

    Regards,

    Jak

    :36069
  • Hello,

    Yes, that is exactly what i am saying...

    I have checked the eventvwr, and there are no MSI or anything like that being run on the server at startup/shutdown.

    The DC shows several logon failures for the account, so it has tried to start the service automatically.

    Other services start just fine with the same account, it is only that specific service that automatically changes.

    Sophos Enterprise Console 5.1.0.1839

    Best Regards,

    Martijn

    :36077
  • Hi,

    In that case it's very odd behaviour indeed.  Is there any software on the computer that is involved with accounts?  

    I would suggest in the local security policy for the computer enable all auditing options for accounts and see if there are any clues in the Security event log after reproducing it.  

    The options are under:

    "\Security Settings\Local Policies\Audit Policy\"

    Also, Windows stores the password for service accounts under: HKLM\SECURITY\Policy\Secrets\_SC_[ServiceName] as a secret.

    You could maybe setup ProcessMonitor with a path rule to:

    HKLM\SECURITY\Policy\Secrets\_SC_

    Do you see a modification to the key at startup for example if you log boot/reproduce it?

    Regards,

    Jak

    :36085
  • Did you have any joy with fixing this issue? we are having the exact same issue, everytime we re-boot the server the password changes and we have to re-enter it. Once re-entering the password the service starts fine

    Phil

    :43409