Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible group enumeration bug in 4.5

DavidRickard

I've found an issue with EM Console. 

Microsoft best practices say that you should not add users directly to Domain Admins. We've got a brand new domain, where we've created a system admins group (which is a member of Domain Admins) and then we add our admin users to that group.

However, users added that way won't work with EM Console. It just says they don't have rights to the console. Move the user directly into Domain Admins, and it does work. 

I've not tested it massively, but it also affected installation too. Can anybody else confirm this behaviour?

:3715


This thread was automatically locked due to age.
  • 0

    Hello David,

    Is the system admins group a member of the Sophos Full Administrators group? If it is not please try adding this group to be a member of the Sophos Full Administrators group and try again.

    :3717
    • 0

      It isn't - domain admins are members of the Sophos Administrators group.

      Also, during installation I was using my domain admin account, and it was failing miserably to find the domain. As soon as I logged in as THE domain administrator, it worked.

      Longer term, I'll probably be inclined to do the groups more explicitly. But still, it should still be able to enumerate those groups, surely?

      :3721
      • 0

        Hello David,

        I have replicated your issue and I will investigate and come back to you shortly.

        :3763
        • 0

          That's great. Thanks :)

          :3765
          • 0

            Hi David,

            I can confirm that this is expected behavior but we have it raised as a feature request as it is not a defect as such of the product. Can I ask for the location of the document that states this as best practice by microsoft I would be very interested to investigate this further and the reason that microsoft give for it.

            AK

            :3803
            • 0

              Hi,

              I'll see if I can find it and let you know.

              :3831
              Unfiltered HTML