About Sophos groups

Sophos Endpoint Security and Control restricts access to certain parts of the software to members of certain Sophos groups.

When Sophos Endpoint Security and Control is installed, each user on this computer is initially assigned to a Sophos group depending on their Windows group.
Windows group Sophos group
Administrators SophosAdministrator
Power Users SophosPowerUser
Users SophosUser

Users who are not assigned to a Sophos group, including Guest users, can only perform the following tasks:

  • On-access scanning
  • Right-click scanning


SophosUsers can perform the tasks above and also perform the following tasks:

  • Open the Sophos Endpoint Security and Control window
  • Set up and run on-demand scans
  • Configure right-click scanning
  • Manage (with limited privileges) quarantined items
  • Create and configure firewall rules


SophosPowerUsers have the same rights as SophosUsers, with the addition of the following rights:

  • Greater privileges in Quarantine manager
  • Access to Authorization manager


SophosAdministrators can use and configure any part of Sophos Endpoint Security and Control.
Note If tamper protection is enabled, a SophosAdministrator must know the tamper protection password to perform the following tasks:
  • Configure on-access scanning.
  • Configure suspicious behavior detection.
  • Disable tamper protection.
Note For more information, see About tamper protection on this computer.