You do not have sufficient privileges to run the Sophos Endpoint Security and Control main application. You are not a member of any of the Sophos groups.

  • Article ID: 113207
  • Rating:
  • 58 customers rated this article 2.9 out of 6
  • Updated: 03 Dec 2013

Issue

The local user interface of the product becomes inaccessible, and when access is attempted, it reports an error similar to this:

You do not have sufficient privileges to run the Sophos Endpoint Security and Control main application.
You are not a member of any of the Sophos groups. To launch this application, you must be a member of SophosAdministrator, SophosPowerUser or SophosUser group. Please contact your administrator.

When you check the local group membership of the account attempting to open the main application it is a member of one or more of the mentioned groups.

Note: The computer can still be managed from the console and protection is not diminished however you may see a 'Comparison Failure' error for certain policies.

First seen in

Sophos Anti-Virus for Windows 2000+ 7.6.21

Cause

Important: As of Sophos Anti-Virus (SAV) 10.3.2, the SID values of the Sophos groups are no longer recorded in 'machine.xml'.  The config file now references the groups by their name to avoid issues relating to changing of the SID values.  The fixed SID of the system user, i.e. S-1-5-18, is also added to the 'SophosAdministrator' role to enable services such as the Sophos Agent, which runs as 'Local System' to manage SAV.

The security identifier (SID) value of the computer has changed.  Reasons for the SID value changing include:

  • Running the Microsoft Sysprep tool.
  • Running a tool as such Microsoft's NewSID.

What To Do

The new SID values of the Sophos-related groups must be determined and entered into an XML configuration file.  Shown below are two methods for performing this on the endpoint computer; one is via an automatic script.  If you prefer you can perform the steps manually.

Automatically calculate the SID value and update the XML file

  1. Right-click the following file and 'Save link as...' to the Desktop of the endpoint computer:UpdateSID.vbs.txt
  2. Remove the .txt file extension.
  3. Run the file in one of two ways:
    • Either double-click the file
      or
    • From a command prompt (Start | Run | Type: cmd.exe | Press return) browse to the Desktop (Type: cd Desktop | Press return )  and then type:
      cscript.exe UpdateSID.vbs

The SID values have now been updated and the main application should be able to launch without error.

Note: Rebooting the computer now can help if the problem persists.

If the issue still exists follow the manual process below.

Manually calculate the SID value and update the XML file

Obtain the new SID values

  1. Open a command prompt (Start | Run | Type: cmd.exe | Press return).
  2. Type: wmic /node:localhost group where (localaccount=true and name like 'sophos%') GET Caption, SID > SophosLocalGroups.txt
  3. Open the SophosLocalGroups.txt file in Notepad by typing SophosLocalGroups.txt from the command prompt.

Once you have run this open the file SophosLocalGroups.txt using Notepad.exe to obtain the new SIDs of the Sophos groups.

Update the existing SID values to the new ones

  1. Open Windows services (Start | Run | Type: services.msc | Press return) and stop the Sophos Anti-Virus service.
  2. Open one of the following files in a text editor, such as Notepad.exe, according to your operating system:
    • For Windows Vista and above:
      C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml
    • For Windows 2000/2003/XP:
      C:\documents and settings\All users\Application data\sophos\Sophos Anti-Virus\Config\machine.xml
  3. At the top of the file, locate the "Security" section. Using the ID values you obtained above, for each of the roles, update the SID values to the new SID value for the local groups, for example,

    <role name="SophosAdministrator"><SID>S-1-5-21-3575766963-4128555015-3935694525-1029</SID></role>
    <role name="SophosPowerUser"><SID>S-1-5-21-3575766963-4128555015-3935694525-1028</SID></role>
    <role name="SophosUser"><SID>S-1-5-21-3575766963-4128555015-3935694525-1027</SID></role>


    Where:
    S-1-5-21-3575766963-4128555015-3935694525 is the new SID of the machine, the last number is the unique group identifier.

    Note: There may be more than one SID value for each account.  In this case you can add an additional line using the new SID value.  Example:

    <role name="SophosAdministrator">
      <SID>S-1-5-21-286604240-1627713736-1734124843-1234</SID>
      <SID>S-1-5-21-286604240-1627713736-1734124843-2345</SID>
      <SID>S-1-5-21-286604240-1627713736-1734124843-3456</SID>
    </role>

  4. Once the file machine.xml has been updated, save the file.
  5. Start the Sophos Anti-Virus service.
  6. Check that the account, which is a member of one of the above Sophos groups, can now open the Sophos Endpoint Security and Control user interface.

thank you for the feedback

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments