Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 6111 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Protect Computers from Enterprise Console 4

joeyl

I have the Enterprise Console 4 loaded on a domain server. I want the techs to be able to protect computers from their console. The techs do not have domain admin rights, but are part of a domain group that has local admin rights on the domain computers. When they try to protect the computers with their domain acounts it comes up with "The Specified Credentials are invalid" I can do it fine using my domain admin account. I gave the techs rights to all Sophos related folders and registry keys but it still would not work. If I make the techs local admin on the Sophos server it works fine. Is there a workaround so that I don't have to give them admin rights on the server?

thanks

:2352


This thread was automatically locked due to age.
  • 0

    Hello joeyl,

    can't figure out your exact setup. I still puzzle over from their console.

    You're saying they get the pop-up immediately after pressing Finish on the wizard's Credentials window? I've seen it only when the credentials are indeed invalid or could not be verified (i.e. authentication with the domain/computer specified in the credentials failed for some other reason).

    No workaround or local admin rights should be needed.

    Christian

    :2360
  • 0

    Hi Christian

    thanks for the reply. I had the techs install endpoint consoles on their machines.

    When it says  "please enter an account that have access to install software on the computer" that's when they put their domain user account and click finish they get"specified credentials are invalid" pop-up I have the same thing if I enter non-domain admin credentials on the Sophos Console running on the dedicated Sophos server. If I make the tech's domain user account a member of the Sophos server's local administrators group, it works fine?

    :2365
  • 0

    This Windows security always gives me headaches :smileymad: ... :smileyhappy:

    Ok, it won't help you when I say it works for me. So I've played a lot with various combinations and here's my next question: Is this group allowed (or explicitely denied) to log on locally  in the Local Security Settings? If this doesn't help please check the Security Event Log - the check from the console generates a security event.

    Christian 

    :2390
  • 0

    When asked for credentials, try using the following format:

    domain\username

    I had the same issue when I first installed.

    :2394
  • 0

    Hi Christian, thanks for putting me in the right direction!

    Do you mean if the group can log on locally to the server itself in GP? If this is the case, then no, only administrators and domain admins are explicitly allowed to log on locally to the Sophos Server. And I did see the error when I tried a non-domain admin account:

    Failure Reason:        The user has not been granted the requested logon type at this machine.
        Status:            0xc000015b
        Sub Status:        0x0

    I cannot add the group to log on locally in Gpedit though, the option to add is greyed out

    :2464
  • 0

    Hello joeyl,

    this is not a DC, is it? Just asking cause I know (but my knowledge is limited) only two reasons that Add is greyed out: 1) it is a DC where you have to use the DCSP instead of gpedit, 2) there's a permissions error on the GPOs. In an undefined policy in a GPO it is also grey until you check Define this policy but this does not apply. Dunno what changes if you install TS on a server though.

    Community - help please! :smileyhappy:

    Christian

    :2473
  • 0

    Hi Christian

    no it is not a DC, and I found out that previous Systems admins have implemented a deny log on locally GPO to prevent computer techs from logging into the server with their accounts, only domain admins can log on locally. And I cannot change that because of security compliance)

    So it looks like there is no good solution for techs to push out sophos, unless I move the Sophos Enterprise console to another machine that would be doing just that....

    :2486
  • 0

    Hello joeyl,

    the log on locally right is required. Do the techs protect new computers or re-protect existing "endpoints"? What else do they use the console for? While it is convenient it is not absolutely necessary to use SEC to protect computers.

    Do you use AD synchronization to detect new computers? If so - have you considered automatic protection?

    Christian

    :2499
  • 0

    Christian

    thanks again for your reply, it has been most helpful. Yes we have considered automatic protection within the AD synchronization, however we also use deepfreeze to return most computers to factory fresh at the end of the day, and these computers would just attempt to reprotect themselves every time they are rebooted. That's why we wanted the techs to be able to protect the "deepfreeze" PCs when they have them reboot in the "management" mode at their convenience. Apart from that they use the console only to see problem PCs in their areas.

    I could change the AD synchro to exclude these PCs, and use auto protect on the rest of the regular PCs

    :2517
  • 0

    Don't mention it!

    Since SEC "just" creates a started task which starts setup.exe (using some switches) from the CID this could also be done from a techs PC provided it has access to the target computer. Creating the task could be wrapped in a script.

    Christian

    :2518
Unfiltered HTML