Issue
The local user interface of the product becomes inaccessible, and when access is attempted, it reports an error similar to this:
You do not have sufficient privileges to run the Sophos Endpoint Security and Control main application.
You are not a member of any of the Sophos groups. To launch this application, you must be a member of SophosAdministrator, SophosPowerUser or SophosUser group. Please contact your administrator.
Important: When you check the local group membership of the account attempting to open the main application it is a member of one or more of the mentioned groups.
Note: The computer can still be managed from the console and protection is not diminished.
First seen in
Sophos Anti-Virus for Windows 2000+ 7.6.21
Cause
The security identifier (SID) value of the computer has changed. Reasons for the SID value changing include:
- Running the Microsoft Sysprep tool.
- Running a tool as such Microsoft's NewSID.
What To Do
The new SID values of the Sophos-related groups must be determined and entered into an XML configuration file. Shown below are two methods for performing this on the endpoint computer; one is via an automatic script. If you prefer you can perform the steps manually.
Automatically calculate the SID value and update the XML file
- Right-click the following file and 'Save link as...' to the Desktop of the endpoint computer:UpdateSID.vbs.txt
- Remove the .txt file extension.
- Run the file in one of two ways:
- Either double-click the file
or - From a command prompt (Start | Run | Type: cmd.exe | Press return) browse to the Desktop (Type:
cd Desktop | Press return ) and then type:
cscript.exe UpdateSID.vbs
The SID values have now been updated and the main application should be able to launch without error.
If the issue still exists follow the manual process below.
Manually calculate the SID value and update the XML file
Obtain the new SID values
- Open a command prompt (Start | Run | Type:
cmd.exe | Press return). - Type:
wmic /node:localhost group where (localaccount=true and name like 'sophos%') GET Caption, SID > SophosLocalGroups.txt - Open the SophosLocalGroups.txt file in Notepad by typing
SophosLocalGroups.txt from the command prompt.
Once you have run this open the file SophosLocalGroups.txt using Notepad.exe to obtain the new SIDs of the Sophos groups.
Update the existing SID values to the new ones
- Open Windows services (Start | Run | Type:
services.msc | Press return) and stop the Sophos Anti-Virus service. - Open one of the following files in a text editor, such as Notepad.exe, according to your operating system:
- For Windows Vista and above:
C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml - For Windows 2000/2003/XP:
C:\documents and settings\All users\Application data\sophos\Sophos Anti-Virus\Config\machine.xml
-
At the top of the file, locate the "Security" section. Using the ID values you obtained above, for each of the roles, update the SID values to the new SID value for the local groups, for example,
<role name="SophosAdministrator"><SID>S-1-5-21-3575766963-4128555015-3935694525-1029</SID></role>
<role name="SophosPowerUser"><SID>S-1-5-21-3575766963-4128555015-3935694525-1028</SID></role>
<role name="SophosUser"><SID>S-1-5-21-3575766963-4128555015-3935694525-1027</SID></role>
Where:
S-1-5-21-3575766963-4128555015-3935694525 is the new SID of the machine, the last number is the unique group identifier.
Note: There may be more than one SID value for each account. In this case you can add an additional line using the new SID value. Example:
<role name="SophosAdministrator">
<SID>S-1-5-21-286604240-1627713736-1734124843-1234</SID>
<SID>S-1-5-21-286604240-1627713736-1734124843-2345</SID>
<SID>S-1-5-21-286604240-1627713736-1734124843-3456</SID>
</role>
- Once the file
machine.xml has been updated, save the file. - Start the Sophos Anti-Virus service.
- Check that the account, which is a member of one of the above Sophos groups, can now open the Sophos Endpoint Security and Control user interface.