Sophos AV : The user is not assigned to any sub-estates

Sophos AV : The user is not assigned to any sub-estates

I came across this today on a fresh install of Sophos 4.7 on Windows Server 2008 R2. I confirmed:

User was a member (indirectly) of the SophosAdministrator group in AD DS, and a member (indirectly) of the the local security group “Sophos Full Administrators.” Note indirect. The issue here was caused by nested group membership; the user was a member of a role-based group which was in turn member of a service type group which was used to delegate permissions in Sophos.

There is a known issue where launching the Sophos Enterprise Console as a user who inherits membership of the Sophos Full Administrators group via nested groups fails.  Ensure the launching user is a direct member of the group.

More information available here: http://www.sophos.com/support/knowledgebase/article/67106.html