The local user interface of the product becomes inaccessible, and when access is attempted, it reports an error similar to this:
You do not have sufficient privileges to run the Sophos Endpoint Security and Control main application.
You are not a member of any of the Sophos groups. To launch this application, you must be a member of SophosAdministrator, SophosPowerUser or SophosUser group. Please contact your administrator.
When you check the local group membership of the account attempting to open the main application it is a member of one or more of the mentioned groups.
Note: The computer can still be managed from the console and protection is not diminished however you may see a 'Comparison Failure' error for certain policies.
First seen in
Sophos Anti-Virus for Windows 2000+ 7.6.21
Important: As of Sophos Anti-Virus (SAV) 10.3.2, the SID values of the Sophos groups are no longer recorded in 'machine.xml'. The config file now references the groups by their name to avoid issues relating to changing of the SID values. The fixed SID of the system user, i.e. S-1-5-18, is also added to the 'SophosAdministrator' role to enable services such as the Sophos Agent, which runs as 'Local System' to manage SAV.
The security identifier (SID) value of the computer has changed. Reasons for the SID value changing include:
- Running the Microsoft Sysprep tool.
- Running a tool as such Microsoft's NewSID.
What To Do
The new SID values of the Sophos-related groups must be determined and entered into an XML configuration file. Shown below are two methods for performing this on the endpoint computer; one is via an automatic script. If you prefer you can perform the steps manually.
Automatically calculate the SID value and update the XML file
- Right-click the following file and 'Save link as...' to the Desktop of the endpoint computer:UpdateSID.vbs.txt
- Remove the .txt file extension.
- Run the file in one of two ways:
- Either double-click the file
- From a command prompt (Start | Run | Type: cmd.exe | Press return) browse to the Desktop (Type:
cd Desktop | Press return ) and then type:
The SID values have now been updated and the main application should be able to launch without error.
Note: Rebooting the computer now can help if the problem persists.
If the issue still exists follow the manual process below.
Manually calculate the SID value and update the XML file
Obtain the new SID values
- Open a command prompt (Start | Run | Type:
cmd.exe | Press return).
wmic /node:localhost group where (localaccount=true and name like 'sophos%') GET Caption, SID > SophosLocalGroups.txt
- Open the SophosLocalGroups.txt file in Notepad by typing
SophosLocalGroups.txt from the command prompt.
Once you have run this open the file SophosLocalGroups.txt using Notepad.exe to obtain the new SIDs of the Sophos groups.
Update the existing SID values to the new ones
- Open Windows services (Start | Run | Type:
services.msc | Press return) and stop the Sophos Anti-Virus service.
- Open one of the following files in a text editor, such as Notepad.exe, according to your operating system:
- For Windows Vista and above:
- For Windows 2000/2003/XP:
C:\documents and settings\All users\Application data\sophos\Sophos Anti-Virus\Config\machine.xml
At the top of the file, locate the "Security" section. Using the ID values you obtained above, for each of the roles, update the SID values to the new SID value for the local groups, for example,
S-1-5-21-3575766963-4128555015-3935694525 is the new SID of the machine, the last number is the unique group identifier.
Note: There may be more than one SID value for each account. In this case you can add an additional line using the new SID value. Example:
- Once the file
machine.xml has been updated, save the file.
- Start the Sophos Anti-Virus service.
- Check that the account, which is a member of one of the above Sophos groups, can now open the Sophos Endpoint Security and Control user interface.