How to resolve Sophos Enterprise Console error – the user is not assigned to any sub-estates

Sophos

While tidying up an old server for a client recently I removed a very old version of Sophos Control Center. We’d been running Sophos Enterprise Console on a new server for almost a year now, so I didn’t think uninstalling it would it would effect the new installation, but i was wrong!

So in this blog post I’ll look at recovering a broken Sophos Enterprise Console, specifically the following error when you open Sophos Enterprise Console:

The user “domainuser” is not assigned to any sub-estates. You must be a member of at least one sub-estate to run the console.

Sophos Enterprise Console - The user is not assigned to any sub-estates. You must be a member of at least one sun-estate to run the console.

It appears that uninstalling the old version of the Sophos Enterprise Console, also removed several AD Groups, and possibly the account we used for updating.

My first port or call was the Sophos KB67106 article, in this case we have the Sophos Enterprise Console running on a DC, but no “Sophos Full Administrators” group existed. I created this as a Domain Local group in AD and added my administrator account.

After a log off and login I was now getting a different unknown error message, which wasn’t very descriptive, but still couldn’t get into the console so I took a look at the services.

All the services appeared to be running, so I tried restarting the Sophos Management Service and got the following error message.

restart management serviceAfter doing some research on 0x80070534, it took me to Sophos KB14509 article, I noticed here that the “Sophos Console Administrators” group was missing, so I created this as a Domain Local group in AD and added my administrator account.

On trying to start the Sophos Management Service again i was now getting an Error 0x80004005, so after a little more research and I ended up at Sophos KB111898 article, I felt I was getting close to a solution. Looking through the article and checking the Event Viewer,  I found Event IDs 8004 and 18456. At this point I followed the instructions and ran the sqlcmd commands below from the Enterprise Console directory.

Run the following commands in a command prompt on the database server from the Enterprise Console directory, e.g., program filessophosenterprise console (or program files (x86)... on a 64-bit computer)…

sqlcmd -E -S .SOPHOS -d SOPHOS52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SOPHOSPATCH52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SOPHOSENC52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SophosSecurity -i ResetUserMappings.sql

However I got the error message: The name change cannot be performed because the SID of the new name does not match the old SID of the principal.

Luckily this scenario is covered in the same KB article, so after running the following commands

sqlcmd -E -S .sophos -Q "DROP LOGIN [SERVERNAMESophos DB Admins]"
sqlcmd -E -S .sophos -Q "CREATE LOGIN [SERVERNAMESophos DB Admins] FROM WINDOWS"

I was able to re-run the other sqlcmd commands.
sqlcmd -E -S .SOPHOS -d SOPHOS52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SOPHOSPATCH52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SOPHOSENC52 -i ResetUserMappings.sql
sqlcmd -E -S .SOPHOS -d SophosSecurity -i ResetUserMappings.sql

I restarted all of the Sophos Services on the server amd then opened up the Sophos Enterprise Console and hoped for the best…bingo!

The only other issue I came across was the SophosUpdateMgr account was missing, and as this is the default account to distribute updates I couldn’t deploy Sophos to a new client. The symptom was the Protect Computer wizard would return an error regarding an invalid account as soon as you clicked next after entering the domainuser and password details.

After recreating the SophosUpdateMgr account in AD, I changed the password for the different Update Policies we are using in the Sophos Enterprise Console, and the Protect Computer wizard is operational again.

The whole experience was quite involved, and if i had wanted to I could of phoned Sophos Technical Support which are excellent, but I like to try and figure things out first myself. It did reinforce one of the reasons why we use Sophos; their support, and in this case the quality and depth of their knowledge base articles is excellent.

Related Articles:

1. Sophos Endpoint: How to change the update location if it is greyed out

2. Connect to Computer missing on SBS 2008 Remote Web Workplace

3. Exchange 2010 SP3 Update Rollup 12 released and installation tips

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.