This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can only open SEC remotely with domain admin rights.

We can only open SEC remotely with domain admin or server Administrator group rights.

Would like to remove user from those two and add to Sophos Console Administrators or Sophos Full Administrators. But SEC won't open when user is added to anything other than Domain Admin Or the Server Administrators group. DCOM is Y.

 

Thanks in advance!

Any and all guidance is appreciated.

 

Cheers!



This thread was automatically locked due to age.
  • Hello Jared Burton,

    it's supposed to work (and it does at my site, but please see the link for possible error causes) when the user is a member of the Sophos Console Administrators group . What's the error that is displayed?

    Christian

  • Hi Christian,

    Thanks for your response, I'll go through that link and see what I can find.

    Here is the error I am receiving when attempting to login with my test user account that has been successfully added to the Sophos Console Administrators group on the SEC server. Am I confusing this local server group with an AD group that may have been created at install that I should be using instead?

     

    Thanks again!

  • Hello Jared,

    DCOM is Y
    means the user is member of the DCOM Users group?

    Christian

  • The problem I'm running into is that the "Sophos Console Administrators" Group is only local to the SEC server itself.

    So when I try to add it to DCOM as well as Management Tools in Regedit, I cannot as only domain groups are available to add.

     

    So I can add domain users to the local Sophos Console Administrators group.

    But I cannot add the Sophos Console Administrators group to anything in Regedit that it needs to have access to.

     

    I do have a SophosAdministrators domain group that I tried to tie to the local Sophos Console Administrators group, but am having no luck with that either.

    For some reason, When the account is made a domain admin, it works but trying to recreate those permission with anything other than domain admin, I'm met with failure.

     

    The server that the SEC rides on was just rebuilt from scratch with the help of Sophos Prof Services so I am wondering if something didn't get provisioned out of haste of the task.

     

    I'll keep kicking. Thanks for your help Christian.

  • Hello Jared,

    nit sure if I understand you correctly. The DCOM Users group is local, isn't it? You should be able to add local or domain users or groups to it ...

    Christian

  • My apologies, 

    I was not searching names with the entire group name, I was able to add the local Sophos Console Administrators as well as Sophos Full Administrators groups to both

    HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Ole

    HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Sophos > EE > Management

    I then closed everything, completely logged out of the SEC server, and then tried connecting locally again, no dice.

  • The issue has been resolved. I was not adding the user to the DCOM group correctly. Nothing like a little google magic to get me on the right path. Thank you for your help Christian!