The following updating error is in the ALC.log file:
There was a problem while establishing a connection to the server. Details: LogonUser ("Sophos<computerName>", ".", ...) failed A Windows API call returned error 1329
First seen in
Sophos Anti-Virus for Windows 2000+ 7.6.21
A local security policy or GPO is restricting this account (or accounts) from accessing the network.
The account is created by Sophos AutoUpdate and used for impersonation so that it can access the network to download files from a remote location.
The impersonation account is needed because AutoUpdate normally runs as local SYSTEM, cannot make a network connection and therefore does not have the privileges to access the network. AutoUpdate therefore impersonates the account it creates to get access to the network. It then uses the supplied credentials (if there are any) from the updating policy to access the distribution folder.
- It is important to understand that the impersonation account is only used to gain access to the network (make a network socket) and not to access a network share.
- For more information on the message:
1329 Logon failure: user not allowed to log on to this computer, refer to this Microsoft article.
What To Do
A workaround is to add the Sophos AutoUpdate impersonation account (which is not normally a member of any group) to the 'Users' Windows security group.
- Navigate to Start | Run | Type:
compmgmt.msc | Press return.
- Select 'Local Users and Groups' from System Tools on the left hand pane.
- Then select 'Users' and find the SophosSAU[workstation][unique number] user account.
(If using a domain controller, navigate to Active Directory and find the SophosSAU[servername][unique number])
- Right click on this user account and select 'Properties' and choose the 'Member Of' tab.
- Click 'Add' and select 'Users' from the list and click 'OK' to add, then 'Apply' to complete the change.
- Then right click on the Sophos Shield and select 'Update now' and confirm the update succeeds.
However it is recommended that you investigate which GPO is causing the problem (locking down/restricting) the user account (or impersonation of user accounts) and resolve the issue that way.