Enterprise Console errors during installation: CreateGroupAndUser_mgmtsrv

  • Artikel-ID: 65992
  • Aktualisiert: 24 Okt 2014

Issue
When Installing Enterprise Console, you get an error:

Error creating functionname creategroupanduser_Mgmtsvr

Sophos product and version

Enterprise Console 4.5.0
Enterprise Console 4.0.0

Operating systems affected.
Windows Server 2003. This problem has been seen in Windows 2003 with hotfix 923354 installed (included in service pack 2).

What to do

Step 1. If installing to a domain controller the global catalog role must be moved to this server.

If you are not installing to a domain controller then please skip to step 2.  Otherwise read on.

If installing on a domain controller, ensure that it hosts the global catalog role or remove cross-domain members from the Builtin 'Administrators' group. As an initial test you may want to ensure only the default entries are included for the Built-in “Administrators” group, E.g. 
  • Administrator
  • Domain Admins
  • Enterprise Admins 
Objects such as the following have known to cause this error: 
  • Authenticated users
  • Everyone
  • Other Built-in security accounts or groups (including the SYSTEM account)
  • Other types of domain groups

Technical Information

The "NetlocalgroupAddMembers" function cannot add cross-domain objects to local groups on a Windows Server 2003-based domain controller that has hotfix 923354 installed http://support.microsoft.com/default.aspx?scid=kb;EN-US;950156.

If the issue has not been resolved continue to the next step.

Step 2. Remove any pre-existing groups
  1. Click OK to any error message and allow the installer to completely roll back.
  2. Remove the following groups if they exist:
    • Sophos Console Administrators
    • Sophos Full Administrators
  3. Run the installer again.
If the issue has not been resolved continue to the next step.

Step 3. Manually create the groups
  1. Click OK to any error message and allow the installer to completely roll back.
  2. Remove the following groups if they exist:
    • Sophos DB Admins
    • Sophos Console Administrators
    • Sophos Full Administrators
  3. Manually create the following groups as Domain Local Security groups.  NOTE: Global or Universal group scopes will not work:
    • Sophos DB Admins
    • Sophos Console Administrators
    • Sophos Full Administrators
  4. Run the installer again.
If the issue has not been resolved continue to the next step.

Step 4. Confirm the administrative account (used for the installation) can resolve all membership group names
  1. Open Active Directory Users and Computers (on a domain controller) or Local Users and Groups (on a member server).
  2. Locate the administrative account you are logged on with and open its properties.
  3. On the "Member of" tab check that all group members listed appear correctly.
  4. Remove any groups that do not appear correctly or have a SID value rather than a name.
  5. Save and close the properties.
  6. Log off and back on to the server.
  7. Run the installer again.
If the issue has not been resolved continue to the next step.

Step 5. Debug the cause of the failure.

Technical Information

The custom action: “creategroupanduser_Mgntsvr” is responsible for performing the following actions:
  1. Creating the Windows security groups:
    "Sophos Console Administrators” *
    “Sophos Full Administrators” **

    * Created in all versions of Sophos Enterprise Console.
    ** Created in addition to "Sophos Console Administrators" in Sophos Enterprise Console.
    Note: On a DC these groups should have the scope “Domain local”.

  2. Retrieving the members of the built-in “Administrators” group and adding them to the above groups.        
If these steps in the installer fail the error message will be displayed.

To enable tracing of this function in order to get an insight of which part is failing the following steps can be taken: 
  1. Create the registry "Key": 
    32-bit: [HKEY_LOCAL_MACHINE\Software\Sophos\TraceInstaller]
    64-bit: [HKEY_LOCAL_MACHINE\Software\wow6432node\Sophos\TraceInstaller]

  2. Download the Microsoft Tool DebugView available from: http://technet.microsoft.com/en-us/sysinternals/bb896647.

  3. Launch DebugView and start capturing, ensuring that 'Capturing Win32' is enabled. 
    Note: For computer running User Account Control (UAC) ensure that the application is launched as an administrator, e.g., right-click on Dbgview.exe and choose 'Run as administrator'.  For more information on DebugView see article 119577.

  4. Re-run the installer, any errors encountered will be displayed in DebugView, these should help you to diagnose the underlying cause.

 
Wenn Sie weitere Informationen oder Unterstützung benötigen, wenden Sie sich bitte an den technischen Support.

Artikel bewerten

Ungenügend Hervorragend

Anmerkungen