The accounts you need

Accounts required to perform the upgrade

Ensure that the user logged on to and running the upgrade on the management server has sufficient rights to all Sophos databases. The user running the management server upgrade should be a member of the "db_owner" role on each of the Sophos databases (members of the server role "sysadmin" would implicitly have sufficient rights to all databases). These rights are only required temporarily during the upgrade, to check that the new databases have been created and to migrate the data.

Note For a list of database names per version of the console, see knowledge base article 17323.

Sophos database account

When you upgrade your management console, you might be asked for details of a database account. This happens if your existing account no longer meets the requirements.

Ensure you have an account that:

  • Can log onto the computer where the management console is installed. For distributed installations of Sophos Enterprise Console, the account must be able to log onto the computer where the Sophos Management Server component is installed.
  • Can read and write to the system temporary directory, for example "\windows\temp\". By default, members of "Users" have this right.
  • Has a UPN (User Principal Name) associated with the account if it is a domain account.

All other rights and group memberships that the account needs are granted automatically during the upgrade.

Sophos recommends that the account:

  • Is not set to expire and does not have any other logon restriction.
  • Is not an administrative account.
  • Is not changed after the upgrade.

For more information, see knowledge base article 113954.