Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 1 subscriber
  • Views 12484 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD - Duplicate Groups

ITHelpDesk1

Sophos Endpoint needed to be rebuilt due to security risks of the 2 required accounts to run it.

My Domain now has 3 Duplicate entries for each of the following:

SophosAdministrator
SophosOnAccess
SophosPowerUser
SophosUser

All original and duplicate entries are empty.

Can I safely removes these?
Will removing break anything?

I saw another KB with similar questions but without a real answer, only a broken link to an article I was unable to find in the documentation.

Running Sophos Enterprise Console 5.3



This thread was automatically locked due to age.
Parents
  • 0

    Hello ITHelpDesk1,

    (I've moved the thread to the SEC forum as it seems to be the better choice - if you disagree I can move it back)
    do I understand you correctly that you reinstalled SEC?
    Is it on a member server or a DC? These entries should be Domain Local Security Groups (this a single domain environment?) - strange though that they exist at all as AD should not permit objects with the same name. SophosOnAccess has no members, the other three have the corresponding SophosDomainXxxxx Global Security Groups as members.
    What ]an]other KB with similar questions are you referring to?

    Christian

Reply
  • 0

    Hello ITHelpDesk1,

    (I've moved the thread to the SEC forum as it seems to be the better choice - if you disagree I can move it back)
    do I understand you correctly that you reinstalled SEC?
    Is it on a member server or a DC? These entries should be Domain Local Security Groups (this a single domain environment?) - strange though that they exist at all as AD should not permit objects with the same name. SophosOnAccess has no members, the other three have the corresponding SophosDomainXxxxx Global Security Groups as members.
    What ]an]other KB with similar questions are you referring to?

    Christian

Children
  • 0 in reply to QC
    First Comment from Moderator had link to an article that no longer exists.
    community.sophos.com/.../9405

    SEC is on member server. Used across Muli-Domain (internal and external), however even the external DC does not create entry into internal Domain like other DC's (SophosSAU*externalDC*0) so I do not believe that is what created the duplicates.

    Each of the mentioned security groups are listed as follows in domain:
    SophosUser
    SophosUserCNF:1f5ae26e-8c4b-476b-8ae9-1c4635cff5f3 (some values changed for security)
    SophosUserCNF:78216c09-d7fe-4c92-9776-a3baf0c40eae (some values changed for security)

    2 with the garbage text have group name "$DUPLICATE-36b1"

    All domain security Groups Original and duplicate are empty in the domain security groups except the SophosAdministrator (and duplicates) which contain values but which are not seen pushed to any computers security groups/ giving any extra powers.

    SophosUser= no members
    SophosPowerUser= no members
    SophosOnAccess= no members
    SophosAdministrator= collection of different admin accounts as members
  • 0 in reply to ITHelpDesk1

    Hello ITHelpDesk1,

    (should have stated more precisely, duplicate objects are possible in AD - with the final result you've posted here=

    I see, and it suggests that SEC (and its reinstall) is not to blame. Understanding Windows and Sophos Groups has a short description of what these groups are for. As there are no local users/groups on a DC the Sophos groups are created as Domain Local groups when Endpoint is installed on the first DC. Subsequent installs on other DCs should not (try to re-) create these groups. Can't say what could have happened.
    Anyway, as normally only Admins log on to a DC (if at all), the endpoint (DC) uses the original name, and the Sophos groups "just" determine the logged on user's rights wrt Sophos only the SophosAdministrator group has some significance (and I think there is, as you've said, no issue with the SophosSAU impersonation accounts).

    Guess you can safely remove the duplicates

    Christian 

  • 0 in reply to QC
    I have not been able to test disable/removal of the duplicates as of yet, but I believe this will be fine solution, with the worst case scenario of having to reinstall sophos on the endpoint
Unfiltered HTML