Can I disable/delete Sophos Domain-Accounts "SophosEmLibUser1" and "SophosEndpointUpdate"

Question

Hi guys, 
 
 I am currently running a cleanup on my Active Directory and looking for domain accounts with too many rights which I can disable (security risks e. g. account can be delegated or password never expires). And SEC creates a lot of groups and users :D For example there's a "SophosSAU<servername>aaa" for each domain controller (description: to download sophos-updates > password never expires). I think because it's not possible to create local admins on a DC, fair enough. 
 
 But there are two accounts with builtin administrator-rights and I am not able to find any documentation about this accounts: 
 SophosEmLibUser1 (password never expires, can be delegated, member of builtin groups "Administrators", "SophosAdministrator" and also "Domain-user", description "Sophos EM Library Account") 
 SophosEndpointUpdate (password never expires, can be delegated, member of builtin groups "Administrators" and "Users" and also "Domain-user", description "Sophos AutoUpdate Account") 
 Are this old accounts and are they save to delete/disable? I think they were created at a inital installation of sophos EC in the AD. Where should I look if they are used by some services? 
 I used process explorer to take a look if there's any service on the SEC server that uses one of the accounts, but most of the services runs as local service oor system-account. Some parts are running on a sophos-user I created at the last move of SEC to a new server (Sophos.FrontEnd.Service.exe, PatchServerCommunicator.exe, PatchEndpointOrchestrator.exe and PatchEndpointCommunicator.exe). 
 Maybe one of them is used to install the clientpart? But why do I have to type in administration-credentials of the client where i want to install Sophos Endpoint Security? And Sophos Update Manager seems to run on a local account on the SEC server named "SophosUpdate". 
 I hope someone can help me with this two accounts :) 
 
 Best regards, Toby 
 
 PS: running on SEC 5.5.1

QC · Accepted Answer

Hello Toby, 
 easy things first: For the SophosSAU< servername >aaa accounts please see What is the SophosSAU account ? As you have the latest SEC version only these two accounts are required . 
 By default whatever account has been set for the SUM Account is used in the updating policies. Of course if updating policies have been migrated (likely) they might use on "old" account. Shouldn't be too hard to check unless you have lots of updating policies. 
 two accounts with builtin administrator-rights in the age of EM Library and Enterprise Manager only the Enterprise Manager account (EM) had to be a member of the Administrators group, in addition it required the Logon as a Service right. This was back in the time of NT4 and Windows 2000 and has long since been changed, the architecture has been redesigned with the introduction of SUM. No other account (notably the one used for updating Sophos on the endpoints) ever needed administrative rights. These two (bold) accounts are things from the past, unless still in use by a policy you can safely remove them (the prudent approach is to disable them and check if something breaks). 
 Sophos Update Manager normally runs a Local System . 
 used to install the clientpart? Please see How the Protect Computers Wizard performs an installation . Of course you need administrative rights to install (system) software on an endpoint. SEC doesn't store any account that requires administrative rights though. 
 Christian