This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC Decommission Active Directory Users/Groups

We have migrated from SEC to Sophos Central. The old SEC server has been removed, but we still have Sophos Users/Groups in Active Directory. Is there any special way these must be removed?

Thank you,

This thread was automatically locked due to age.
  • The Sophos Central client uses AutoUpdate XG, this does not need the locally generated "SophosSAU<MachineName>XXX" accounts used by Sophos AutoUpdate, so those two can be removed.

    Sophos Anti-Virus, at the current time is still installed with the Sophos Central client, the installer creates the 4 local groups:

    • SophosAdministrator
    • SophosOnAccess
    • SophosPowerUser
    • SophosUser

    These were primarily created to control access to the Quarantine Manager which has now been replaced by the Event Store but the groups are still used by SAV and therefore the above groups must stay. 

    Note: When SAV is removed from the Central client in the not too distant future they will be removed along with SAV.

    When you installed SEC, it asked for 2 accounts, one for the management service to access the database, the other was the account the clients used to get updates from the SophosUpdate share.  Given the names, I suspect, these are the "Sophos Management"  and "Sophos Update Manager" accounts. If the SEC Server has gone, you can remove the "Sophos Management" account.  If the CIDs/distribution points have gone, I.e. there are no clients running the old on-prem client, that need access to the CID for migration purposes the Sophos Update Manager account can also be removed.

    The SophosDomainAdministrator, SophosDomainPowerUser and SophosDomainUser accounts can be removed so you can remove everything apart from the bulleted list of groups above which are used by SAV.

  • Thanks for the info! When you say (4 local groups) do you mean local to our Domain or local to workstations?


  • On a member server or domain member they will be local groups.  On a DC they would have to be domain groups.

  • Ok,

    They are groups on our domain, not local groups to a server or workstation. Are these domain based groups still required with Sophos Central?

  • Any group, local or otherwise by the following names should remain:

    • SophosAdministrator
    • SophosOnAccess
    • SophosPowerUser
    • SophosUser

    The others can go.