Sophos AV : The user is not assigned to any sub-estates
I came across this today on a fresh install of Sophos 4.7 on Windows Server 2008 R2. I confirmed:
User was a member (indirectly) of the SophosAdministrator group in AD DS, and a member (indirectly) of the the local security group “Sophos Full Administrators.” Note indirect. The issue here was caused by nested group membership; the user was a member of a role-based group which was in turn member of a service type group which was used to delegate permissions in Sophos.
There is a known issue where launching the Sophos Enterprise Console as a user who inherits membership of the Sophos Full Administrators group via nested groups fails. Ensure the launching user is a direct member of the group.
More information available here: http://www.sophos.com/support/knowledgebase/article/67106.html