Recently I have been doing a lot of movements of server roles, one of those was changing our DCs to newer servers that will be pure best practice based (nothing else on them other than AD/DNS/File Storage). One of the old server however had the Sophos Enterprise Console (v4.7 for anyone who is keeping count) on and after removing AD DS from the server I was getting the following error when trying to get to the Sophos Enterprise Console-
Cannot open Sophos Enterprise Console
The user “DOMAIN\Administrator” is not assigned to any sub-estates. You must be a member of at least one sub-estate to run this console.
Contact your Administrator to resolve this issue.
Upon inspection (in Server Manager > Configuration > Local Users and Groups) it appeared that the user group Sophos Full Administrators no longer existed.
The simple solution is to create a new group (called Sophos Full Administrators) and assign your Administrative account to it, the screen shots below show this in a little more detail.