Sophos Control Center and Enterprise Console errors during installation: CreateGroupAndUser_mgmtsrv

  • Article ID: 65992
  • Updated: 05 Jul 2013

Issue
When Installing Sophos Control Center or Enterprise Console, you get an error.

  • In Sophos Control Center, the message is:

Setup has encountered an unknown error and cannot recover. Setup will now rollback. Function name: CreateGroupAndUser_mgmtsrv

Action ended [time]: InstallExecute.

  • In Enterprise Console, the message is:

Error creating functionname creategroupanduser_Mgmtsvr

Sophos product and version

Sophos Control Center 4.0.0
Enterprise Console 4.5.0
Enterprise Console 4.0.0

Operating systems affected.
Windows Server 2003. This problem has been seen in Windows 2003 with hotfix 923354 installed (included in service pack 2).

What to do

Step 1. If installing to a domain controller the global catalog role must be moved to this server.

If you are not installing to a domain controller then please skip to step 2.  Otherwise read on.

If installing on a domain controller, ensure that it hosts the global catalog role or remove cross-domain members from the Builtin 'Administrators' group. As an initial test you may want to ensure only the default entries are included for the Built-in “Administrators” group, E.g. 
  • Administrator
  • Domain Admins
  • Enterprise Admins 
Objects such as the following have known to cause this error: 
  • Authenticated users
  • Everyone
  • Other Built-in security accounts or groups (including the SYSTEM account)
  • Other types of domain groups

Technical Information

The "NetlocalgroupAddMembers" function cannot add cross-domain objects to local groups on a Windows Server 2003-based domain controller that has hotfix 923354 installed http://support.microsoft.com/default.aspx?scid=kb;EN-US;950156.

If the issue has not been resolved continue to the next step.

Step 2. Remove any pre-existing groups
  1. Click OK to any error message and allow the installer to completely roll back.
  2. Remove the following groups if they exist:
    • Sophos Console Administrators
    • Sophos Full Administrators
  3. Run the installer again.
If the issue has not been resolved continue to the next step.

Step 3. Manually create the groups
  1. Click OK to any error message and allow the installer to completely roll back.
  2. Remove the following groups if they exist:
    • Sophos DB Admins
    • Sophos Console Administrators
    • Sophos Full Administrators
  3. Manually create the following groups as Domain Local Security groups.  NOTE: Global or Universal group scopes will not work:
    • Sophos DB Admins
    • Sophos Console Administrators
    • Sophos Full Administrators
  4. Run the installer again.
If the issue has not been resolved continue to the next step.

Step 4. Confirm the administrative account (used for the installation) can resolve all membership group names
  1. Open Active Directory Users and Computers (on a domain controller) or Local Users and Groups (on a member server).
  2. Locate the administrative account you are logged on with and open its properties.
  3. On the "Member of" tab check that all group members listed appear correctly.
  4. Remove any groups that do not appear correctly or have a SID value rather than a name.
  5. Save and close the properties.
  6. Log off and back on to the server.
  7. Run the installer again.
If the issue has not been resolved continue to the next step.

Step 5. Debug the cause of the failure.

Technical Information

The custom action: “creategroupanduser_Mgntsvr” is responsible for performing the following actions:
  1. Creating the Windows security groups:
    "Sophos Console Administrators” *
    “Sophos Full Administrators” **

    * Created in all versions of Sophos Enterprise Console and Sophos Control Center.
    ** Created in addition to "Sophos Console Administrators" in Sophos Enterprise Console and Sophos Control Center version 4 onwards.
    Note: On a DC these groups should have the scope “Domain local”.

  2. Retrieving the members of the built-in “Administrators” group and adding them to the above groups.        
If these steps in the installer fail the error message will be displayed.

To enable tracing of this function in order to get an insight of which part is failing the following steps can be taken: 
  1. Create the registry "Key": 
    32-bit: [HKEY_LOCAL_MACHINE\Software\Sophos\TraceInstaller]
    64-bit: [HKEY_LOCAL_MACHINE\Software\wow6432node\Sophos\TraceInstaller]

  2. Download the Microsoft Tool DebugView available from: http://technet.microsoft.com/en-us/sysinternals/bb896647.

  3. Launch DebugView and start capturing, ensuring that 'Capturing Win32' is enabled. 
    Note: For computer running User Account Control (UAC) ensure that the application is launched as an administrator, e.g., right-click on Dbgview.exe and choose 'Run as administrator'.  For more information on DebugView see article 119577.

  4. Re-run the installer, any errors encountered will be displayed in DebugView, these should help you to diagnose the underlying cause.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments