AD - Duplicate Groups

Hello ITHelpDesk1,

(I've moved the thread to the SEC forum as it seems to be the better choice - if you disagree I can move it back)
do I understand you correctly that you reinstalled SEC?
Is it on a member server or a DC? These entries should be Domain Local Security Groups (this a single domain environment?) - strange though that they exist at all as AD should not permit objects with the same name. SophosOnAccess has no members, the other three have the corresponding SophosDomainXxxxx Global Security Groups as members.
What ]an]other KB with similar questions are you referring to?

Christian

First Comment from Moderator had link to an article that no longer exists.
community.sophos.com/.../9405

SEC is on member server. Used across Muli-Domain (internal and external), however even the external DC does not create entry into internal Domain like other DC's (SophosSAU*externalDC*0) so I do not believe that is what created the duplicates.

Each of the mentioned security groups are listed as follows in domain:
SophosUser
SophosUserCNF:1f5ae26e-8c4b-476b-8ae9-1c4635cff5f3 (some values changed for security)
SophosUserCNF:78216c09-d7fe-4c92-9776-a3baf0c40eae (some values changed for security)

2 with the garbage text have group name "$DUPLICATE-36b1"

All domain security Groups Original and duplicate are empty in the domain security groups except the SophosAdministrator (and duplicates) which contain values but which are not seen pushed to any computers security groups/ giving any extra powers.

SophosUser= no members
SophosPowerUser= no members
SophosOnAccess= no members
SophosAdministrator= collection of different admin accounts as members

Hello ITHelpDesk1,

(should have stated more precisely, duplicate objects are possible in AD - with the final result you've posted here=

I see, and it suggests that SEC (and its reinstall) is not to blame. Understanding Windows and Sophos Groups has a short description of what these groups are for. As there are no local users/groups on a DC the Sophos groups are created as Domain Local groups when Endpoint is installed on the first DC. Subsequent installs on other DCs should not (try to re-) create these groups. Can't say what could have happened.
Anyway, as normally only Admins log on to a DC (if at all), the endpoint (DC) uses the original name, and the Sophos groups "just" determine the logged on user's rights wrt Sophos only the SophosAdministrator group has some significance (and I think there is, as you've said, no issue with the SophosSAU impersonation accounts).

Guess you can safely remove the duplicates

Christian 

Hello ITHelpDesk1,

(should have stated more precisely, duplicate objects are possible in AD - with the final result you've posted here=

I see, and it suggests that SEC (and its reinstall) is not to blame. Understanding Windows and Sophos Groups has a short description of what these groups are for. As there are no local users/groups on a DC the Sophos groups are created as Domain Local groups when Endpoint is installed on the first DC. Subsequent installs on other DCs should not (try to re-) create these groups. Can't say what could have happened.
Anyway, as normally only Admins log on to a DC (if at all), the endpoint (DC) uses the original name, and the Sophos groups "just" determine the logged on user's rights wrt Sophos only the SophosAdministrator group has some significance (and I think there is, as you've said, no issue with the SophosSAU impersonation accounts).

Guess you can safely remove the duplicates

Christian 

I have not been able to test disable/removal of the duplicates as of yet, but I believe this will be fine solution, with the worst case scenario of having to reinstall sophos on the endpoint